Dirigera Control (IKEA smart home)

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent IKEA Dirigera smart-home controller, but it can control real devices and stores a local hub token that users should protect.

Install only if you want the agent to control IKEA Dirigera devices. Treat `dirigera_token.txt` as a secret, store it in a private location or delete it after use, lock down any Cloudflare tunnel, and require explicit confirmation before broad actions such as turning off all outlets, all lights, or triggering whole-home scenes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill documents and encourages shell execution, network access, and local file read/write operations, including token generation and storage, but does not declare any permissions. That mismatch creates a trust and containment problem: a host may authorize or route the skill under the assumption it is low-privilege while the instructions actually require sensitive capabilities that can access the LAN and handle credentials.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The helper module exposes home-wide bulk-control primitives such as turning off all lights or all outlets, which expands the operational scope beyond narrower per-device assistance. In a smart-home skill accessible through a remote tunnel, these broad actions materially increase the blast radius of misuse, prompt injection, or accidental invocation, enabling disruptive changes across the entire home at once.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The activation text is broad enough to match many generic smart-home requests, causing the skill to trigger in more situations than necessary. In context, this increases the chance that a skill with network, shell, and credential-handling behavior is invoked when the user did not specifically intend to use this Dirigera integration, potentially leading to unnecessary device control attempts or token-generation workflows.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation instructs saving the Dirigera API token to a plaintext local file and later reading it back, but it does not warn that the token is a sensitive credential or prescribe secure handling. If that file is readable by other processes, persisted in logs, backups, or shared directories, an attacker could reuse the token to control the user's smart-home devices over the accessible tunnel or local network.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: These examples perform broad live-device actions such as turning off all lights or outlets, but they do not warn that the code affects real smart-home equipment. In this skill context, users are likely to copy examples directly, so missing guardrails can lead to accidental disruption of the home environment, including powering off important connected devices.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The energy-saving example shuts down non-essential outlets and then turns off all lights, which is a destructive bulk action pattern without any confirmation, simulation mode, or strong warning. In a smart-home control skill, this is more dangerous because users may execute it against production devices and unintentionally disable equipment that was misclassified, unnamed, or placed in the wrong room.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script performs subnet-wide port scanning and, when a token is supplied, sends authenticated verification requests to discovered hosts. While this behavior is consistent with finding a Dirigera hub, it is still active network probing that can unexpectedly interact with non-target devices on the local network and may expose sensitive operational details in environments where such scanning is not expected or authorized.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script writes the access token directly to disk in plaintext with a predictable default filename and no permission hardening or warning to the user. If the host is multi-user, backed up, synced, or otherwise accessible, this credential can be recovered and used to control the Dirigera smart home environment.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The code performs destructive home-wide state changes immediately, without requiring a second user confirmation, safety interstitial, or policy check. That makes accidental phrasing, misrouting, or adversarial instruction injection more likely to cause real-world disruption, especially when outlets are involved because they may power critical appliances or network equipment.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal