HomePod

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed HomePod troubleshooting and local-control guide with narrow local notes and confirmation gates for device actions.

Install if you want HomePod setup and troubleshooting help with optional local device control. Before using direct control, install atvremote from a trusted source, confirm the exact target device and source URL or file, and periodically review or clear ~/homepod/ if you do not want household topology or troubleshooting history retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly directs the agent to persist notes in `~/homepod/memory.md` without requiring user disclosure, consent, retention limits, or any guidance on minimizing sensitive content. In a home automation context, those notes may include device inventory, network details, protected rooms, and operational preferences, creating a privacy and security risk if stored unexpectedly or accessed by other processes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal