Back to skill

Security audit

Anova Oven

Security checks across malware telemetry and agentic risk

Overview

The skill appears to control Anova devices as advertised, but it can remotely start or stop a real heating appliance without confirmation or reliable target selection.

Review before installing if an agent could act on casual prompts. Only allow explicit user-confirmed start, stop, or temperature-changing actions; verify the exact Anova device before execution; add reasonable temperature/duration/fan/humidity bounds; and consider pinning the websockets dependency before regular use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill documentation instructs the user to read a bearer token from a local file (`~/.config/anova/token`) but does not declare that file-read capability. Undeclared sensitive file access reduces transparency and can bypass user expectations or policy controls around credential handling.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The stated behavior overclaims support for device types and cooking modes, while the implementation reportedly only controls APO ovens in a more limited way and also performs device discovery not clearly disclosed. In a remote-control skill for cooking hardware, this mismatch is dangerous because users or higher-level agents may issue commands under false assumptions, potentially changing the wrong device state or relying on unsupported safety-critical behavior.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This skill provides direct commands to start, modify, and stop a physical oven without any explicit safety warning, confirmation requirement, or reminder that the action affects real hardware. Because the capability can change heating state remotely, a user or downstream agent could trigger potentially hazardous operation without appreciating the physical-world consequences.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The natural-language examples are broad imperative phrases like 'Stop cooking' and 'Preheat the oven,' without confirmation, identity checks, or activation boundaries. For a skill that remotely controls a live oven/cooker, ambiguous triggers can cause accidental or unintended command execution with real-world safety consequences.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The description emphasizes convenience features but does not clearly foreground that the skill can start, modify, or stop active cooking sessions on physical appliances. In the context of remotely controlled heating devices, insufficient warning increases the risk of unsafe use, accidental interruption, or changes to unattended cooking.

Missing User Warnings

High
Confidence
97% confidence
Finding
This skill can remotely start and stop a physical oven without any confirmation prompt, interlock, or explicit safety warning. In the context of a cooking-device control skill, that is dangerous because accidental invocation, misuse by another local process/user, or automation errors can trigger real-world safety hazards including unattended heating, burns, or fire risk.

Unpinned Dependencies

Low
Category
Supply Chain
Content
websockets>=10.0
Confidence
93% confidence
Finding
websockets>=10.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.