ClawHub

xiaodu-senior-night-assist-official

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed night-assist home-automation workflow that turns selected lights on and off through an existing Xiaodu control skill, with some practical privacy and activation caveats.

Install only if you trust the existing xiaodu-control-official skill and are comfortable letting this skill control selected household lights and possibly write local preference notes. Configure wake-word or active-session gating for broad phrases, and review or disable XIAODU_CONTEXT.md/MEMORY.md persistence if household routine privacy matters.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrases are broad everyday expressions such as '太黑了' and '我要喝水,开一下灯', which can cause unintended activation in normal conversation. In a home-automation skill controlling lights and related devices for elderly nighttime assistance, accidental triggering can lead to confusing or unsafe device actions, especially at night when wrong-room activation or unexpected speech/output may startle users.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrase “太黑了” is broad, conversational, and appears in tests as a valid input that can initiate device actions such as turning on lights and scheduling automatic tail behavior. In a voice-controlled elder-care context, that increases the risk of accidental activation from ordinary speech, TV audio, or unrelated conversation, causing unintended device control at night.

Vague Triggers

Medium
Confidence
81% confidence
Finding
“夜里起夜” is a natural phrase but is still relatively broad as an activation input, especially in a shared ambient voice environment. Because this skill orchestrates real IoT actions for nighttime assistance, insufficient scoping could lead to unintended scene or lighting execution when the phrase is mentioned descriptively rather than as a command.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The listed trigger phrases include broad, common utterances such as '太黑了' and '我要喝水,开一下灯', which can overlap with ordinary lighting requests and cause the night-assist workflow to run unintentionally. In this skill's context, unintended activation is more sensitive because it can chain multiple device actions, speech, and auto-shutoff behavior rather than performing a single simple light command.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document instructs the system to persist user preferences into XIAODU_CONTEXT.md without any notice, consent flow, retention policy, or limits on what can be stored. Even though the examples seem low sensitivity, repeated nighttime behavior and household routine preferences can reveal personal habits, health-related patterns, or presence information if retained indefinitely or accessed improperly.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal