Security audit

xiaodu-bedtime-soother-official

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed bedtime home-automation orchestrator that can control XiaoDu devices and media, with no evidence of hidden, destructive, or unrelated behavior.

Install only if you want bedtime phrases to let the agent control XiaoDu smart screens and supported IoT devices. Review the dependency skill xiaodu-control-official because it performs the actual device actions, and be aware this skill can store preferences and schedule delayed stop/screen-off behavior after story playback.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (5)

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The test cases expand the bedtime skill from scene-first IoT orchestration into media playback, delayed stop/pause, and screen-off behaviors that are not covered by the stated manifest scope. This kind of scope drift is dangerous because it can cause the agent to invoke additional capabilities and side effects users did not clearly consent to, especially around unattended playback and device state changes after a delay.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: These test cases require content playback and delayed cleanup controls even though the skill is described as a bedtime scene orchestrator, not a media or automation scheduler. In a child bedtime context, hidden or weakly justified cross-capability actions are more sensitive because they can affect screen behavior, audio playback duration, and unattended device control beyond the user's immediate request.

Intent-Code Divergence

Medium

Confidence: 83% confidence
Finding: The tests describe the skill as scene-first but also define a default story-first path, creating contradictory execution expectations. This inconsistency can lead the implementation to prioritize media actions over environmental safety/setup, making behavior less predictable and increasing the chance of unintended actions being triggered by broad bedtime requests.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger conditions are broad natural-language phrases such as '带孩子睡觉' and '把房间调整到适合睡觉的状态', which can cause the skill to activate on ambiguous requests and initiate real-world device actions. In this context, the skill can control IoT devices and media playback, so overbroad activation increases the risk of unintended room/device manipulation or unwanted bedtime routines.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger phrases are broad, everyday utterances such as requests to help a child sleep or adjust a room for bedtime, without clear exclusion rules or stronger disambiguation. In a home-control skill, that increases the risk of accidental invocation and unintended device/media actions, especially when the tests also expect multi-step orchestration and possible follow-up control chains.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal