ClawHub

Workswith Claw

Security checks across malware telemetry and agentic risk

Overview

This smart-home skill is purpose-aligned, but it needs Review because its default deployment can expose Home Assistant data/control and persistent automation changes without adequate authentication or scoping.

Install only in a tightly trusted local environment. Set a non-empty API key or put the service behind real authentication, bind it to localhost or firewall it from the LAN/Internet, prefer HTTPS or an isolated trusted link to Home Assistant, rotate/protect the HA token, avoid storing the token in the dashboard, and review generated automation YAML before enabling it. Treat any LLM/OpenClaw integration as a separate opt-in privacy decision.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documentation describes use of sensitive capabilities including environment-based HA tokens, network access to Home Assistant, and filesystem writes to the Home Assistant automations directory, but the analyzer reports these are not formally declared as permissions. That creates a transparency and consent gap: users may authorize or deploy the skill without understanding it can control devices, read secrets, and write persistent automation files.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The described behavior materially exceeds the high-level summary: beyond semantic understanding, it can directly control Home Assistant services, write YAML automations, expose management endpoints, persist behavioral data, and call external LLM/OpenClaw services. This mismatch is dangerous because it can mislead users about the real trust boundary, data flows, and persistence mechanisms, resulting in underinformed consent for home-device control and data exposure.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The README makes strong privacy claims that all data remains local and is never uploaded, while also documenting integrations with third-party messaging channels and embedding externally hosted GitHub assets. This creates a misleading security posture: users may assume no data leaves the device when in practice metadata, content, or network requests may be exposed to external services.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The FAQ claims HTTPS and mutual TLS are used, but the installation example shows Home Assistant accessed over plain HTTP on a local IP. This inconsistency can cause operators to deploy an unencrypted control channel for home automation commands and tokens, exposing credentials or device control traffic to interception on the local network.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The dashboard endpoint is presented as an insights feature, but it performs live occupancy and room-activity inference from Home Assistant state data, including whether people are home and which rooms appear active. This creates a privacy-sensitive surveillance surface that may expose real-time presence information to any caller of the endpoint if access controls are weak or absent elsewhere in the application.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The example trigger phrases are extremely broad everyday utterances such as '开灯' and '看电影', which can easily be spoken unintentionally or appear in conversational context. In a system that controls physical devices, ambiguous activations can lead to unintended actions affecting lighting, heating, appliances, and occupant safety or privacy.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The README advertises fuzzy natural-language intent matching and predictive behavior without clearly bounded activation logic. In a smart-home context, ambiguous intent resolution materially increases the chance of unintended device operations, especially when mapped to heating, lighting, or scene execution.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Automatic habit learning and proactive action are described as core features, but the README does not clearly warn that the system may infer behavioral patterns and autonomously control devices. This is dangerous because users may not understand the privacy implications of behavioral profiling or the operational risk of unrequested actions in a physical environment.

Vague Triggers

Medium
Confidence
79% confidence
Finding
Examples like '开灯', '关灯', and other everyday phrases are overly broad for a home-control skill and may be triggered by normal conversation, quoted speech, or ambiguous user intent. In a smart-home context, unintended activation can cause real-world effects such as device state changes, privacy loss, nuisance, or safety issues if appliances are controlled unexpectedly.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill advertises fuzzy natural-language matching and intent inference without describing activation constraints, authentication, or confirmation logic. In a system that can control household devices and automate actions, ambiguous matching increases the chance of accidental or adversarial triggering through casual speech or crafted prompts.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The 'home' scene uses broad everyday keywords like '回来了', '回家', and '开门', which can plausibly appear in casual conversation or be inferred from noisy speech recognition. In a smart-home skill, unintended activation can directly change the physical environment by turning on lights, making this a real safety and privacy issue rather than a purely cosmetic UX problem.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The 'clean' scene keywords ('打扫', '扫地', '清洁') are generic words that may occur in normal conversation without intent to automate the home. In this context, accidental triggering could alter lighting unexpectedly and demonstrates insufficient activation constraints for actions affecting real devices.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code sends a Home Assistant bearer token over plain HTTP by default to HA_URL, which exposes credentials and full device state data to interception by anyone on the local network or any upstream network path. In a smart-home context, entity states and attributes can reveal occupancy, routines, and device inventory, so using insecure transport is a real confidentiality risk even if the target is a local HA instance.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code records raw user utterances, inferred intent, and result data, then prints the full interaction object to logs without any privacy controls, minimization, consent handling, or redaction. In a smart-home context, these utterances can reveal highly sensitive behavioral, presence, and household information, and logs are often broadly accessible or retained longer than intended.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code sends raw user utterances and serialized context to third-party LLM providers without any consent gate, minimization, or indication that potentially sensitive smart-home context may leave the local system. In a home-automation skill, context can reveal occupancy, routines, device states, and other privacy-sensitive data, so undisclosed external transmission is a real privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code sends the user's utterance plus derived intent and scene context to an external OpenClaw endpoint, with no evidence here of consent flow, minimization, or disclosure. In a smart-home context, this data can reveal behavior patterns, routines, and household state, so silent transmission to a configurable remote service creates a real privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code persistently stores raw user utterances in the interactions table without any visible consent, minimization, retention, or redaction controls. In a smart-home context, these utterances can contain sensitive personal data, household routines, names, addresses, or security-relevant commands, so compromise or misuse of the database could expose private behavioral information.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The Home Assistant long-lived access token is stored in localStorage, which is readable by any JavaScript executing in the page origin, including malicious injected scripts or compromised third-party code. Because this token likely grants broad control over the smart-home environment, theft could let an attacker read device state and trigger actions across the home.

Ssd 1

Medium
Confidence
92% confidence
Finding
User-controlled utterance and context are interpolated directly into a single prompt, allowing prompt injection or semantic manipulation of the model's inferred intent. In this smart-home setting, a crafted utterance could bias the model into returning an incorrect scene or action classification, which may trigger unintended home behaviors if downstream systems trust the result.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal