Imou Open Device Manage

Security checks across malware telemetry and agentic risk

Overview

This skill transparently manages Imou cloud devices and can rename a device or channel, so it is acceptable if the user intends to grant that control.

Install only if you want an agent to use your Imou developer credentials to view device inventory and rename devices or channels. Keep the app secret private, set IMOU_BASE_URL to the correct official regional endpoint, and confirm the device serial, channel ID, and new name before allowing rename commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

High

Confidence: 82% confidence
Finding: This function performs a remote state-changing action—renaming a device or channel—immediately upon invocation, with no built-in confirmation, policy check, or safeguard against unintended execution. In an agent skill context, this increases the risk of unauthorized or mistaken modification of user-managed cloud devices if the tool is triggered by ambiguous prompts or prompt-injection-influenced flows.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal