ClawHub
Back to skill

Security audit

ros2-engineering-skills

Security checks across malware telemetry and agentic risk

Overview

This is a broad ROS 2 engineering reference with disclosed helper scripts; it does not show hidden execution or malicious behavior, but some examples require careful handling on real robots or host systems.

Install this if you want a comprehensive ROS 2 reference plus optional local utility scripts. Review commands before running them, especially examples involving real robot motion, rosbag recording, Foxglove/live telemetry, sudo, Docker deployment, boot settings, or real-time tuning. Keep work in version control before using --force scaffolding.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill appears capable of reading/writing files and invoking shell-like workflows, but it does not declare any permissions. That creates a transparency and governance gap: callers may invoke a skill believing it is advisory-only when it can materially modify a workspace or run commands. In an engineering skill that is likely to be auto-triggered, hidden capabilities increase the chance of unintended filesystem changes or command execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The description presents the skill as a guide/knowledge resource, but the detected behavior includes scaffolding files, performing analysis, and running Docker-based test builds. This mismatch is dangerous because users or orchestrators may route tasks to the skill under a low-risk assumption while it can alter project state and execute command workflows. In a broad ROS 2 engineering context, that can affect source trees, CI artifacts, and deployment configurations.

Vague Triggers

Medium
Confidence
74% confidence
Finding
The trigger scope is extremely broad, covering nearly any ROS 2, robotics middleware, simulation, deployment, or migration task. Over-broad routing increases the chance the skill is invoked in contexts where its write/shell capabilities are unnecessary or unsafe, amplifying accidental changes and making least-privilege enforcement harder. Because this skill spans security, deployment, and hardware-adjacent domains, unintended invocation carries elevated operational risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly recommends enabling service introspection in "contents" mode and echoing full request/response pairs, but it does not warn that this can expose secrets, credentials, personal data, or safety-relevant commands onto observable ROS topics and logs. In ROS 2 environments that are not hardened with SROS2, localhost-only discovery, or strict network segmentation, this materially increases information disclosure risk during debugging and operations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guidance recommends recording all ROS 2 topics with `ros2 bag record -a` but does not warn that bags may include sensitive telemetry, camera feeds, maps, credentials accidentally published on topics, or personal data. In robotics environments, broad capture is often operationally useful, but omission of any privacy/data-handling caution can lead to unnecessary collection and retention of sensitive information.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The Foxglove bridge instructions expose live ROS 2 data over a WebSocket endpoint without noting that any reachable client may be able to observe operational telemetry, sensor feeds, and system state. In a robotics stack, this can leak sensitive environment data or internal topology, especially if the bridge is bound beyond localhost or used on shared networks.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The file provides actionable examples that can command real robot motion (`move()`, `execute()`, Cartesian path execution) and install system packages without any nearby warning that these actions may move physical hardware or modify the host system. In a ROS 2/MoveIt manipulation guide, this context makes the omission more significant because readers are likely to copy examples into live robot environments where unsafe motion, collisions, or unintended system changes can occur.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This section instructs readers to change bootloader/kernel parameters and reboot the system, but it does not clearly warn that mistakes can leave the system unbootable, degrade scheduling/network behavior, or require console recovery. In a robotics engineering skill, these actions are operationally relevant, but the lack of explicit safety cautions makes the guidance risky for less experienced users.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The file recommends forcing the CPU governor to performance and disabling turbo without clearly warning about higher power draw, heat, battery/runtime impact, and the possibility that changes may not persist or may affect the whole system. In robotics/RT tuning this is legitimate advice, but absent operational warnings it can cause unsafe thermal or performance side effects in deployed systems.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The IRQ affinity loop rewrites settings under /proc for all IRQs, which can disrupt network, storage, USB, or serial device handling if moved incorrectly. In real-time tuning this can be useful, but presenting a blanket rewrite without a strong warning and scoping guidance creates a realistic risk of service interruption on the robot or host.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Using --force allows the script to overwrite files in an existing package directory without an interactive confirmation or safer replacement strategy. In a developer tooling context, this can destroy source, launch, config, or security policy files and may cause accidental loss of hardening artifacts such as SROS2 configs, especially because this skill is intended to scaffold ROS 2 packages in active workspaces.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.generated_source_template_injection

User-controlled placeholder is embedded directly into generated source code.

Critical
Code
suspicious.generated_source_template_injection
Location
references/deployment.md:319