ClawHub

Midea Air Conditioners

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local Midea air-conditioner controller, with the main caution that vague commands could accidentally change a real device.

Install only if you want an agent to control your local Midea AC units. Verify the configured room names and IP addresses, install msmart-ng from a trusted source, and require clarification or confirmation before acting on vague requests like "warmer," "cooler," or "full speed."

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The invocation description is broad enough that an orchestrator could select this skill for generic AC-related requests without confirming device ownership, room scope, or whether the user intended physical device control. Because this skill performs real-world state changes in a home environment, over-broad routing increases the chance of unintended actuation.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The natural-language triggers include vague phrases like 'Warmer', 'Cooler', 'Full speed', and 'Minimum speed' that may appear in ordinary conversation without clearly referring to an AC or a specific room. In a device-control skill, such underspecified triggers can cause accidental command execution against physical equipment, especially when the skill infers missing context.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The skill documentation instructs direct execution of commands that change the home environment but does not include any warning, confirmation guidance, or safety note for state-changing actions. While not an exploit by itself, the lack of operator-facing safeguards increases the risk of accidental or inappropriate device manipulation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal