ClawHub

rauto-usage

Security checks across malware telemetry and agentic risk

Overview

This is a real device-automation skill that is mostly purpose-aligned, but it gives an agent broad execution authority while under-warning about credentials, recordings, restore, and saved local state.

Install only if you intentionally want an agent to operate rauto against devices you control. Prefer named connections or secure prompts over command-line passwords, avoid printing real secrets in exact command summaries, use dry-runs and canary scopes before changes, confirm restore/delete/orchestration targets explicitly, and protect or periodically clean ~/.rauto histories, recordings, connections, and backups.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The manifest description contains very broad trigger phrases such as 'run command for me' and 'execute on device' that can match many ordinary requests and cause this high-impact execution skill to activate too often. In this context, over-triggering is dangerous because the skill is explicitly designed to perform real device operations, increasing the chance of unintended command execution or escalation into sensitive infrastructure actions.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The default prompt delegates broad authority to 'run rauto directly' and even 'ask only for missing required inputs,' which encourages execution with minimal clarification or policy gating. In a skill explicitly designed to run device commands, workflows, orchestration, backup/restore, and profile/connection operations, this broad trigger scope can cause unsafe or unintended execution on infrastructure from ambiguous user requests.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The playbook includes a direct-credential example that passes `--password` on the command line without any warning or safer alternative. Command-line credentials can be exposed through shell history, process listings, logs, audit trails, and agent telemetry, which is especially risky in an agent-execution context where commands may be recorded or summarized automatically.

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
The playbook allows destructive execution to proceed directly if the user uses certain Chinese words such as '删除' or 'replace 恢复', effectively treating language-specific phrasing as sufficient confirmation. This is dangerous because it weakens the confirmation boundary, creates inconsistent safety behavior across languages, and can cause accidental or manipulated destructive actions without a clear, standardized confirmation step.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The examples show backup restore, including `--replace`, without any warning about destructive effects or the possibility of restoring sensitive saved state such as connections or stored credentials. In this skill's context, users are encouraged to execute CLI commands directly, so omission of safety guidance materially increases the risk of accidental destructive recovery actions or insecure restoration of persisted secrets.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The scenario explicitly shows passing passwords on the command line for connection testing and saving, but gives no warning about shell history, process list exposure, or secure storage expectations. In a skill whose purpose is to help users operate real network devices, this can lead to credential disclosure and reuse risk in routine workflows.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The recording and replay guidance encourages capturing sessions without warning that recordings may contain sensitive commands, outputs, hostnames, credentials, tokens, or configuration state. Because these recordings are later replayed and inspected, they create a durable artifact that may expand the blast radius of any accidental data capture.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The backup restore instructions include a destructive replace mode with only a brief parenthetical note, which is easy to miss in an operational runbook. In this device-management context, an accidental full replace can overwrite working state, cause outages, or erase recovery data across production environments.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The instruction 'Use this file when the user asks for Web operations' is broad enough to trigger this reference in many contexts, including potentially sensitive operations like backup restore, replay, template execution, and multi-device orchestration. In an agent skill that can directly execute actions, over-broad activation increases the chance of the agent surfacing or performing powerful operations without sufficient scoping, confirmation, or safety checks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal