ClawHub

Ulanzi TC001

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches local Ulanzi TC001 control, but it also contains an under-documented weather command that contacts public APIs and posts to an AWTRIX host.

Review before installing. The TC001 control features are coherent, but avoid the weather command unless you are comfortable sending city names to Open-Meteo and posting notifications to the configured AWTRIX host. Verify config.json IPs first, and treat any YouTube API key entered through this skill as potentially stored on the device and sent over local HTTP.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation describes use of environment variables, local file configuration, and network access, but no declared permissions are present to make those capabilities explicit. That creates a transparency and governance gap: users and platforms cannot easily assess that the skill can read config, consume env-provided secrets, and send requests over the network, which is especially relevant because it controls a local device over HTTP.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is local TC001 control, but the finding indicates the underlying skill also reaches public weather/geocoding services and can post to a separate AWTRIX service. That scope expansion increases attack surface, may leak device/location or user data externally, and violates least surprise because users invoking a local-control skill would not expect internet-connected side effects.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill’s documented purpose is local HTTP control of a TC001 device, but the weather command performs outbound requests to third-party APIs and posts data to a separate AWTRIX device. This creates undeclared network and device interaction beyond user expectations, increasing privacy and trust risk because user-supplied city data and derived content leave the local environment and affect another host.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The weather feature contacts external geocoding and forecast services even though the stated skill purpose is controlling a local TC001 over HTTP. Undeclared external transmission can expose user input and metadata and violates the principle of least functionality for an ostensibly local-control skill.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill sends notification payloads to a separate AWTRIX device, which is outside the declared TC001-control scope. Even though the message content here is derived from weather data rather than fully arbitrary user text, it still enables unintended lateral device interaction on the local network and expands the attack surface beyond the advertised device.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly supports configuring sensitive credentials such as a YouTube API key, but the documentation does not warn how that secret is stored, transmitted, or protected. In a skill that uses HTTP and config files/env vars, this can expose credentials through plaintext local storage, logs, shell history, or unencrypted transit to the device or related services.

Natural-Language Policy Violations

Medium
Confidence
86% confidence
Finding
The weather lookup hard-codes Portuguese for geocoding and a Sao Paulo timezone for forecast output without reflecting user locale or device settings. This is primarily a privacy/transparency and correctness issue rather than a direct exploit path, but it can mislead users and produce inaccurate results while silently encoding assumptions about location and language.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal