ClawHub

Alexa

Security checks across malware telemetry and agentic risk

Overview

This is an informational Alexa documentation skill; it includes some sensitive smart-home examples, but there is no evidence that the skill itself executes commands, accesses data, or persists anything.

Reasonable to install as documentation. Before following examples that control locks, cameras, garage doors, calling, messaging, Drop In, Wi-Fi settings, or resets, review Alexa privacy and household permissions, require confirmations or PINs where available, and avoid resetting or disconnecting critical devices unless you have a recovery plan.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The file presents safety- and privacy-sensitive voice commands such as locking doors, arming Guard, showing camera feeds, calling, messaging, and Drop In as simple examples without any nearby warnings about authorization, accidental activation, privacy implications, or device/account prerequisites. In a skill meant to guide users on Alexa usage, this omission can normalize risky actions and increase the chance of unintended access, surveillance, or communications, especially in shared households or on voice-activated devices susceptible to mishearing.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The re-registration workflow instructs users to disable skills, delete devices, and factory reset hardware, but it does not warn that these actions can remove existing automations, room/group assignments, account links, and require time-consuming reconfiguration. In a smart-home context, this can also temporarily disable access to safety- or security-relevant devices such as locks, cameras, or sensors.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The routine example includes changing the Wi-Fi password as part of a 'Guest mode' pattern without warning that doing so will disconnect smart-home devices, speakers, phones, and automations until each device is updated. In this skill's context, that disruption could break home control and monitoring unexpectedly, especially for users relying on connected locks, cameras, or sensors.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal