ClawHub

Bluetooth

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Bluetooth helper with sensitive but disclosed capabilities that fit its stated purpose.

Install only if you want an agent to manage Bluetooth devices. Confirm every new pairing or scan, review any smart-home or wearable writes, do not run packet captures unless you intend to collect device traffic, and keep ~/bluetooth/ profiles and logs private or delete stale entries.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The fitness workflows go beyond Bluetooth transport into collecting, storing, consolidating, and transmitting sensitive health data to third-party services. That expanded data-handling scope materially increases privacy and compliance risk, especially because the examples normalize syncing to external apps without any mention of consent, data minimization, or destination controls.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Packet capture and protocol reverse-engineering introduce capabilities that can expose sensitive device communications, pairing behavior, and proprietary command structures. In a general Bluetooth-control skill, this is more dangerous because it enables surveillance and misuse against nearby devices without a clearly constrained troubleshooting or developer-only boundary.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The skill description is broad enough that an orchestrator may invoke it for loosely related requests involving nearby devices, connectivity, or device control. Because this skill can discover and interact with external Bluetooth devices, unintended invocation could trigger scanning or connection workflows in situations the user did not clearly intend, increasing the risk of privacy impact or unwanted device interaction.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to create and continuously update per-device profile files containing persistent Bluetooth metadata such as MAC addresses, device names, usage history, pairing details, and behavioral notes, but provides no warning, consent step, retention policy, or protection guidance. This creates a privacy and security risk because these profiles can reveal a user's device inventory, habits, locations/rooms, and potentially sensitive connection information if the host is multi-user, backed up, or otherwise exposed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs extraction, saving, consolidation, and syncing of workout and health-adjacent data without any warning, consent language, or safeguards. Because this involves personal health information and third-party transmission, the omission creates a meaningful privacy risk and raises the chance of unexpected disclosure or noncompliant handling.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal