ClawHub

roku

Security checks across malware telemetry and agentic risk

Overview

This Roku control skill is mostly purpose-aligned, but it includes under-disclosed Telegram and local pipe control paths that can issue Roku commands without clear access controls.

Review before installing or running. Use a strong unique bridge token, keep the bridge bound to localhost or a trusted network, and avoid running the Telegram or pipe listener scripts unless you intentionally want remote bot-based control and have restricted who can use the bot.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if line.startswith("roku_"):
                            btn = line.replace("roku_", "")
                            if hasattr(r, btn):
                                getattr(r, btn)()
                                print(f"→ {btn}", flush=True)
                        # Handle "btn NAME" format
                        elif line.startswith("btn "):
Confidence
90% confidence
Finding
getattr(r, btn)()

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
elif line.startswith("btn "):
                            btn = line.split(" ", 1)[1]
                            if hasattr(r, btn):
                                getattr(r, btn)()
                                print(f"→ {btn}", flush=True)
            except:
                time.sleep(0.01)
Confidence
90% confidence
Finding
getattr(r, btn)()

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
A description-behavior mismatch is security-relevant because users may approve a Roku-only local control tool while the implementation reportedly includes Telegram Bot API communication and different IPC control paths not disclosed in the skill description. Undisclosed external network integration expands the trust boundary and can enable remote command/control or data exposure that users did not knowingly consent to.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The file adds a Telegram control channel to a skill described as a Roku CLI and HTTP bridge utility, creating an undeclared remote command path. In this context, that hidden or undocumented messaging integration increases risk because anyone controlling the bot can inject button presses into the local Roku control pipe.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The code reads a Telegram bot token for an integration that is not reflected in the stated skill scope. That mismatch is dangerous because it can conceal external control capability and makes it harder for operators to understand what secrets are needed and what remote services the skill contacts.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The bridge service exposes command endpoints capable of controlling a Roku device, yet the instructions do not prominently warn users that installing and starting the service creates a persistent local control surface. If bound beyond loopback, misconfigured, or proxied, this could permit unauthorized remote control by other local users or network attackers.

Missing User Warnings

Low
Confidence
95% confidence
Finding
The examples repeatedly use a trivial bearer token value of 'secret' without warning that it must be replaced. Users often copy-paste examples, so this can result in weak authentication protecting a control API, making unauthorized use much easier if the service is exposed or accessible by other local actors.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The daemon creates and unlinks a predictable FIFO at /tmp/roku-control without validating ownership, setting restrictive permissions, or warning that any local process may be able to write commands to it depending on system umask. In this skill's context, that means another local user or process could inject Roku control commands, causing unauthorized device actions or interfering with the daemon, and the unlink/recreate behavior on a world-writable path adds race/symlink risk.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
This script issues real network-backed device control actions to a Roku with no confirmation, authentication check, warning, or audit logging. In the context of a device-control skill, silent execution increases the risk of unauthorized or hard-to-trace actions if the skill is invoked unexpectedly, misconfigured, or chained by another tool.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The file implements unauthenticated command execution from pipe input to a physical/network-connected device, with no access control, confirmation, or user-visible warning in the code path. In this skill's context, that means any local process that can write to /tmp/roku-control may drive the Roku, launch apps, or otherwise manipulate the device unexpectedly.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal