Back to skill

Security audit

Mqtt Client

Security checks across malware telemetry and agentic risk

Overview

This MQTT client is not clearly malicious, but it can listen to and print all broker topics visible to its credentials while the documentation suggests a narrower client.

Review before installing. Use only least-privilege MQTT credentials, assume this version may subscribe to and print all topics that account can read, inspect any .env file before running bootstrap.sh, and prefer a version that uses MQTT_TOPIC and avoids logging raw payloads by default.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares no permissions, yet its own description indicates it loads connection details from environment variables via a .env file. That means it implicitly consumes potentially sensitive secrets without transparent permission declaration, which can surprise users and lead to unintended credential exposure or unauthorized broker access.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose says this is a simple MQTT client, but the observed behavior includes broad topic subscription, message receipt/logging, and automatic loading of credentials from environment. A skill that silently subscribes widely and logs broker traffic can capture sensitive data well beyond user expectations, making the mismatch itself security-relevant.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill claims to be a simple MQTT client, but on connection it unconditionally subscribes to "#", which receives every topic on the broker. This creates unnecessary data exposure and violates least privilege, especially because the behavior is broader than the stated functionality and could capture sensitive broker traffic unexpectedly.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The code defines a configurable TOPIC environment variable but ignores it and always subscribes to all topics. This mismatch is dangerous because operators may believe they are limiting collection scope when the implementation actually performs broad monitoring, increasing the chance of unauthorized data access or privacy violations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The resource description tells users to run bootstrap.sh with 'no other details needed' while omitting that it automatically connects to MQTT and loads connection details from the environment. This lack of warning reduces informed consent and can cause users to initiate network access and secret usage unintentionally.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The client logs every received message payload after subscribing to all topics, which can expose credentials, device telemetry, personal data, or internal broker traffic in logs. In this skill context, the combination of full-broker subscription and indiscriminate payload logging makes accidental data leakage more dangerous than a narrowly scoped MQTT client.

Credential Access

High
Category
Privilege Escalation
Content
#!/usr/bin/env bash
source /home/jc/.openclaw/workspace/skills/mqtt-client/venv/bin/activate
source /home/jc/.openclaw/workspace/skills/mqtt-client/.env
python3 /home/jc/.openclaw/workspace/skills/mqtt-client/scripts/run.py
Confidence
71% confidence
Finding
.env

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.