ClawHub

Starlink

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be legitimate Starlink administration tooling, but it exposes sensitive device/location data and internet-disrupting controls without enough explicit consent or warning.

Install only if you intend to let the agent administer your own Starlink hardware. Before running it, verify the source repository, prefer a pinned revision, and require the agent to ask before showing client lists/location data or running reboot/stow commands that may interrupt service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill description uses broad triggers like 'internet status,' 'connected devices,' and 'satellite connectivity,' which can match ordinary support-oriented user requests and cause the agent to invoke a capability-bearing skill unexpectedly. Because this skill can perform both read-sensitive actions (WiFi clients, GPS location) and disruptive state-changing actions (stow, reboot), overbroad invocation increases the chance of unintended privacy exposure or service disruption.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill documents disruptive control operations like stowing and rebooting the dish without any warning that these actions can interrupt connectivity or affect service availability. In an agent setting, exposing such actions without a clear caution or confirmation expectation creates a realistic risk of accidental denial of service against the user's own internet connection.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill exposes WiFi client inventory and GPS location data, both of which are sensitive information, but the documentation provides no privacy warning or consent guidance. If invoked too freely, it could reveal household device identities, internal IP/MAC data, or precise location information beyond what the user intended to share.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal