Bolt Iot

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Bolt IoT skill, but it gives an agent authenticated device-control and raw API-request abilities without clear safety guardrails.

Install only if you trust Membrane and intend to let an agent operate your Bolt IoT account and devices. Use read-only actions first, and require explicit review of the exact device, endpoint, method, payload, and expected effect before any restart, write, delete, automation, or raw proxy API request.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill advertises hardware-control actions such as restart, serial write, analog write, and digital write without clearly warning that these operations can alter physical device state or disrupt connected systems. In an agent context, this increases the chance of unsafe or unintended execution, especially if a user request is ambiguous or the controlled device has real-world effects.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal