ClawHub

Robot

Security checks across malware telemetry and agentic risk

Overview

This is a robotics helper skill with disclosed local notes and hardware-control examples, but users should be careful before applying its outputs to real machines.

Install only if you are comfortable with the agent creating and reusing notes in ~/robot. Review those files periodically, do not store credentials or sensitive site details there, and treat all generated robotics code as draft guidance: test with power limited, wheels lifted or mechanisms restrained, emergency stop available, and exact hardware verified before running anything on real equipment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill directs the agent to read from and write persistent files under ~/robot/ and to update them proactively, but it provides no requirement to obtain user consent or clearly disclose local file modification. This can lead to unintended persistence of sensitive project details, hardware inventories, and troubleshooting notes on the user's machine, creating privacy and integrity risks even if the intent is organizational.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly creates and maintains persistent files under the user's home directory to store project, hardware, and debugging history, but it provides no user-facing disclosure, consent step, or data-minimization guidance. This can cause unintended retention of sensitive information such as hardware inventory, project details, file paths, and operational notes on disk, which is especially relevant in robotics contexts where stored configuration and wiring details may expose safety- or security-relevant system information.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The self-balancing robot section provides closed-loop motor actuation code that can immediately drive motors based on unstable or miscalibrated IMU readings, but it does not warn about runaway motion, falls, or safe test setup. In a robotics skill, this omission is credible and safety-relevant because beginners may execute the example on powered hardware during tuning, when instability is most likely.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The robot arm example issues direct servo movement commands from inverse kinematics results without warning about unexpected joint motion, pinch points, overtravel, or collisions. Because robot arms can move abruptly into a user's hands or into their own structure if coordinates or offsets are wrong, missing safety guidance creates a real physical hazard.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The ROS2 differential-drive section sends /cmd_vel-derived speeds straight to hardware and shows Arduino firmware applying them, but it lacks warnings about unintended motion during bring-up, bad serial data, stale commands, or reversed motor polarity. In this skill context, that increases risk because users are likely to connect the example to real mobile robots where sudden movement can cause collisions or injury.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The quadruped gait section coordinates many servos and periodic leg motion without warning about synchronized motion hazards, linkage pinch points, current spikes, or mechanical strain from incorrect gait parameters. Multi-servo robots can jerk suddenly and damage themselves or nearby fingers during early tuning, so the absence of cautions is a meaningful safety weakness.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal