ClawHub

Dahua Cloud Open IoT Basic General Kit

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a real Dahua Cloud IoT management tool, but it should be reviewed before installation because it can affect real devices and handles secrets too casually.

Install only if you intend to give this skill real Dahua Cloud device-management authority. Use least-privilege or test credentials first, avoid persistent secrets where possible, disable verbose logging for real operations, do not pass real passwords on command lines, rotate any exposed keys, and manually verify targets before deletion, SD formatting, WiFi changes, or callback/subscription changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide recommends permanently storing access key and secret key in user-level environment variables without warning about local credential exposure. Persistent secrets can be recovered by other local processes, users with profile access, shell history or support tooling, increasing the chance of credential theft and unauthorized access to the Dahua cloud tenant.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation advertises destructive operations such as SD card formatting, WiFi reconfiguration, subscription deletion, and callback deletion without prominent safety warnings or confirmation guidance. In an agent setting, this raises the risk of accidental destructive actions against production devices or monitoring workflows.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill includes device deletion commands directly in quick-start style examples without warning that removal may disrupt monitoring, detach devices from management, or require recovery steps. Because this is an IoT management skill operating on real infrastructure, omission of a cautionary note materially increases the chance of operator error.

Missing User Warnings

High
Confidence
98% confidence
Finding
The client logs full request payloads verbatim, and several APIs include secrets such as device passwords, encrypted devCode values, Wi-Fi passwords, callback URLs, and other sensitive operational data. These logs can be captured in terminal scrollback, CI logs, centralized logging systems, or support bundles, turning routine operation into credential disclosure.

Missing User Warnings

High
Confidence
99% confidence
Finding
The encrypt command prints the original device password in cleartext before printing the transformed value. That exposes secrets directly to anyone with terminal access, shell recording, screen capture, process output capture, or CI/CD logs, and is especially risky because this command is specifically handling credentials.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The helper methods print full authorization headers, including AppAccessToken, AccessKey, nonce, timestamp, and signature material, directly to stdout. In real deployments, console output is often captured by shell history, CI logs, container logs, terminal recording tools, or support bundles, which can expose active credentials or reusable request metadata to unauthorized parties.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal