ClawHub

Roborock Vacuum Control

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Roborock vacuum-control guide, with expected account login and device-control risks but no evidence of hidden, destructive, or unrelated behavior.

Install only if you trust the python-roborock CLI and are comfortable giving it access to your Roborock/Xiaomi Home account and linked vacuums. Confirm device and room IDs before running cleaning or settings commands, treat map images and device IDs as private, and enter credentials only into the CLI prompt, not into chat or shared logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The description explicitly says the skill triggers on generic terms like "vacuum," "clean floor," "hoover," and "robot cleaner," which are broad enough to match ordinary conversation that may not intend device control. Because this skill can send real commands to a cloud-connected vacuum, accidental activation could result in unintended cleaning, interruption of schedules, or disclosure of device state.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The setup instructs the user to run `roborock login` and enter their Roborock/Xiaomi Home email and password, but it provides no warning that this involves handling credentials for a cloud account and controlling an internet-connected household device. Omitting a privacy and security notice can lead users to expose sensitive credentials in unsafe environments and may normalize storing or entering account secrets without caution.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal