ClawHub

jf-open-pro-device-status

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill appears to query JF device status as advertised, but it needs review because it can expose device WAN IPs and does not clearly warn users about sensitive device and credential data handling.

Install only if you trust the JFTech publisher and are comfortable sending device tokens and app credentials to the configured JF API endpoint. Treat the table output as sensitive because it may reveal external IP addresses; prefer simple or JSON output unless WAN IPs are needed, and keep credentials in a protected environment.

SkillSpector (4)

By NVIDIA

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill is described as a device online-status query tool, but the table output also displays each device's external WAN IP. This expands the data exposed beyond the declared purpose and may reveal sensitive network information to users or logs, increasing reconnaissance value without a clear need for the stated function.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Displaying external IP information is not proportionate to a narrowly scoped 'device status' skill and creates unnecessary exposure of infrastructure metadata. In the context of a status-check utility, this makes the skill more dangerous because it provides operators or downstream consumers with information useful for asset enumeration and targeting.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad everyday expressions such as '设备在线吗' and '查询设备状态', which can cause accidental invocation. Mis-triggering could lead to unintended network requests or exposure of device status information when the user did not intend to run this specific skill.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document describes credential configuration and remote API queries but does not clearly disclose data handling to users, including transmission of device tokens, UUID/app credentials, and returned device metadata such as WAN IP. This lack of notice increases the risk of accidental exposure of sensitive operational data and weakens informed consent.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal