Tuya Smart

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Tuya smart-home control guide that can affect real devices, but its authority is purpose-aligned and guarded by user confirmation, read-before-write checks, and local-only setup.

Install this only if you want an agent to help with Tuya devices. Keep it in read-only or guided-write mode until you are comfortable, use least-privilege Tuya credentials, require explicit approval for locks, alarms, heating, high-power switches, and bulk changes, and periodically review ~/tuya so old device mappings or activation preferences do not cause mistakes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The activation criteria are intentionally broad, covering generic terms like lights, plugs, sensors, and scenes, which can cause the skill to activate in contexts the user did not clearly intend. In a home automation skill with potential write actions, ambiguous auto-activation increases the chance of unsolicited device-control guidance or accidental escalation from discussion into operational actions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal