Back to skill

Security audit

Bardi Smart Home - Tuya Devices Compatible

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Tuya/Bardi smart-home controller, but it gives an agent broad authority to control real devices without built-in guardrails.

Install only if you want an agent to control your Tuya/Bardi smart-home devices. Use a dedicated least-privilege Tuya cloud project, keep credentials out of logs, run local scans only on trusted networks, and require explicit user approval before raw DP, batch, power, camera, curtain, or other safety-relevant commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The description advertises broad control over many Tuya devices and actions without clear trigger boundaries or user-confirmation expectations. That ambiguity can cause an agent to invoke the skill in situations the user did not clearly intend, leading to unintended device control in a real smart-home environment.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill supports local network discovery, but the description does not warn users that it may scan the local network. Network scanning can reveal device identities, IPs, and topology, and users may not expect that behavior from a generic smart-home control skill.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation explains cloud control features but does not clearly warn that device commands and related metadata are sent to the Tuya Cloud API. Users may assume actions are local-only, creating a privacy and data-handling transparency problem, especially for home occupancy and device-state information.

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.