jf-open-pro-device-battery-manage

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill appears purpose-built for JF device battery management, but it handles sensitive API/device credentials and can change device behavior with under-scoped endpoint and logging safeguards.

Review this before installing. Use it only with JF devices you control, keep JF_ENDPOINT set to an official JF domain, avoid running the token helper in shared terminals or CI logs, and rotate any app secret or device token that may have been printed or captured.

SkillSpector (8)

By NVIDIA

Tainted flow: 'url' from os.getenv (line 119, credential/environment) → requests.post (network output)

Critical

Category: Data Flow
Content: "Name": "Ability.AovAbility" } response = requests.post(url, headers=headers, json=body, timeout=30) result = response.json() if result.get("code") != 2000:
Confidence: 94% confidence
Finding: response = requests.post(url, headers=headers, json=body, timeout=30)

Tainted flow: 'url' from os.getenv (line 119, credential/environment) → requests.post (network output)

Critical

Category: Data Flow
Content: "Name": "Dev.LowElectrMode" } response = requests.post(url, headers=headers, json=body, timeout=30) result = response.json() if result.get("code") != 2000:
Confidence: 94% confidence
Finding: response = requests.post(url, headers=headers, json=body, timeout=30)

Tainted flow: 'url' from os.getenv (line 119, credential/environment) → requests.post (network output)

Critical

Category: Data Flow
Content: } } response = requests.post(url, headers=headers, json=body, timeout=30) result = response.json() if result.get("code") != 2000:
Confidence: 96% confidence
Finding: response = requests.post(url, headers=headers, json=body, timeout=30)

Vague Triggers

Medium

Confidence: 76% confidence
Finding: The trigger phrases are broad terms like '电池管理' and '电量配置', which could match ordinary conversation or unrelated device contexts. In a skill that can modify device configuration, ambiguous activation increases the chance of unintended invocation and unauthorized or accidental threshold changes.

Vague Triggers

Medium

Confidence: 72% confidence
Finding: The trigger section does not clearly define when the skill should activate versus when a general assistant response is appropriate. Because this skill can change power-management settings on physical devices, unclear invocation conditions raise the risk of accidental execution in the wrong context.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The documentation discusses changing a low-power threshold but does not prominently warn about operational effects, such as earlier entry into low-power mode and possible reduced device functionality. Users may make unsafe or unintended changes to device behavior without understanding the consequences.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill lists sensitive credentials in environment variables, including app secrets and device tokens, but provides no guidance on secure storage, least-privilege handling, log redaction, or transmission risks. Given the associated token retrieval and debugging behavior, this omission materially increases the chance of credential leakage and unauthorized device/API access.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script logs the full raw API response and later prints the returned device token to stdout, which can expose sensitive bearer-like credentials in terminals, CI logs, shell history capture, or support bundles. Anyone with access to those logs could reuse the token to access device-related functionality until it expires or is revoked.

Static analysis

Exposed secret literal

Critical

Finding: File appears to expose a hardcoded API secret or token.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal