ThingsBot

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-built for ThingsBoard administration, but it includes high-impact actions that can delete telemetry or expose dashboards without enough safety guidance.

Install only if you intend to let the agent administer ThingsBoard. Before using destructive or public-sharing commands, verify the target tenant, device, dashboard, and keys, back up or export important telemetry, and require explicit confirmation for any deletion or dashboard publication.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill documents an irreversible telemetry deletion operation with `deleteAllDataForKeys=true` but provides no warning, confirmation guidance, or scoping safeguards. In an agent skill context, this increases the chance of accidental destructive actions against production IoT data, causing integrity and availability loss for monitoring, auditing, and analytics.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill includes a command to make dashboards public without any privacy or data exposure warning. Because dashboards may contain sensitive telemetry, device state, or business data, this can unintentionally expose information to unauthenticated users via a public link.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal