Openclaw Skill Tado

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Tado thermostat skill whose account access and heating controls are disclosed and aligned with its purpose.

Install only in an environment where you trust how Tado tokens are stored. Treat commands that set temperature as real-world actions: confirm the home, zone, temperature, and duration before running them, prefer timer or schedule-bound overrides, and revoke the Tado authorization when you no longer use the skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill includes commands that can change thermostat settings, including permanent manual overrides, but does not clearly warn that these actions affect a physical environment, may increase energy usage, and may leave heating on until manually reverted. In a home-control skill, omitted safety guidance materially raises the chance of harmful or costly misuse even if the API usage itself is legitimate.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal