ClawHub

enzoldhazam

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed thermostat-control integration, with expected but sensitive credential use and device-changing commands.

Install only if you trust the GitHub source and the enzoldhazam.hu account integration. Prefer Keychain login over long-lived environment variables, avoid sharing credentials in chats or logs, and confirm the exact room and target temperature before allowing any set command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation instructs users to provide credentials via environment variables, which is a sensitive capability, but no explicit permission declaration is present. This creates a mismatch between the skill's stated interface and its actual data access needs, increasing the chance that secrets are handled without appropriate review, disclosure, or sandboxing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README instructs users to place account credentials in environment variables without any warning about common exposure paths such as shell history, process inspection, crash logs, CI logs, or inherited environments. In a home-automation skill that controls thermostats tied to a real account, compromised credentials could allow unauthorized access to device status and temperature control.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation description is broad enough to trigger on general discussion about home temperature or heating, not just clear requests to control a thermostat. In a home-automation skill, over-broad invocation can lead to unintended access to thermostat state or accidental preparation for device control in response to ambiguous user intent.

Credential Access

High
Category
Privilege Escalation
Content
| `enzoldhazam status --json` | JSON output for parsing |
| `enzoldhazam get <room>` | Get specific room details |
| `enzoldhazam set <room> <temp>` | Set target temperature |
| `enzoldhazam login` | Save credentials to Keychain |
| `enzoldhazam logout` | Clear stored credentials |

## Examples
Confidence
91% confidence
Finding
Keychain

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal