ClawHub

Thermostat

Security checks across malware telemetry and agentic risk

Overview

This is a thermostat guidance skill with no executable code, and its smart-home advice is disclosed and aligned with its stated purpose.

Safe to install as a thermostat helper. Before connecting it to smart-home controls, require explicit confirmation of the thermostat or zone, mode, target temperature, duration, and any automation or return date.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrase "I'm going out" is broad everyday language and is not clearly scoped to thermostat control, so an agent could activate on casual conversation and apply away-mode guidance or changes unintentionally. In a smart-home context, ambiguous activation can cause unwanted HVAC setpoint changes that affect comfort, energy usage, or freeze/humidity protection during absence.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The phrase "I'm going away for a week" implies travel but does not explicitly request thermostat action, creating a risk that the skill may infer and initiate vacation-mode configuration without clear consent. Because this skill can influence protective temperature thresholds during extended absence, mistaken activation could leave the home at unsuitable settings or fail to reflect the user's actual plans.

Vague Triggers

Low
Confidence
78% confidence
Finding
The rental-host condition is loosely phrased and not clearly tied to a thermostat configuration request, so the skill may activate when a user merely mentions being an Airbnb or rental host. In this file's context the content is operationally relevant, but the ambiguous scope could still lead to unsolicited automation suggestions or vacancy-setting changes.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal