ClawHub

Jf Open Pro Feed Control

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says, but it controls a real pet feeder and sends powerful credentials to an endpoint that can be freely changed by environment configuration.

Install only if you understand that it can feed the device and change schedules. Keep JF_APP_SECRET and JF_DEVICE_TOKEN private, do not commit or share them, and only set JF_ENDPOINT to a trusted JFTech regional API host. Review commands carefully before allowing an agent to run feed or schedule-changing actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Tainted flow: 'url' from os.getenv (line 230, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
if access_token:
        body["accessToken"] = access_token

    response = requests.post(url, headers=headers, json=body, timeout=30)
    result = response.json()

    if result.get("code") != 2000:
Confidence
97% confidence
Finding
response = requests.post(url, headers=headers, json=body, timeout=30)

Tainted flow: 'url' from os.getenv (line 230, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
body = {"Name": "FeederAbility"}

    response = requests.post(url, headers=headers, json=body, timeout=30)
    result = response.json()

    if result.get("code") != 2000:
Confidence
96% confidence
Finding
response = requests.post(url, headers=headers, json=body, timeout=30)

Tainted flow: 'url' from os.getenv (line 230, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
}
    }

    response = requests.post(url, headers=headers, json=body, timeout=30)
    result = response.json()

    if result.get("code") != 2000:
Confidence
96% confidence
Finding
response = requests.post(url, headers=headers, json=body, timeout=30)

Tainted flow: 'url' from os.getenv (line 230, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
"props": ["feedPlan"]
    }

    response = requests.post(url, headers=headers, json=body, timeout=30)
    result = response.json()

    if result.get("code") != 2000:
Confidence
95% confidence
Finding
response = requests.post(url, headers=headers, json=body, timeout=30)

Tainted flow: 'url' from os.getenv (line 230, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
if method:
        body["props"]["method"] = method

    response = requests.post(url, headers=headers, json=body, timeout=30)
    result = response.json()

    if result.get("code") != 2000:
Confidence
95% confidence
Finding
response = requests.post(url, headers=headers, json=body, timeout=30)

Tainted flow: 'url' from os.getenv (line 230, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
url = f"{JF_BASE_URL}/rtc/device/petDetectionSwitchStatus/{device_token}"
    headers = get_headers(uuid, app_key, app_secret, move_card)

    response = requests.post(url, headers=headers, timeout=30)
    result = response.json()

    if result.get("code") != 2000:
Confidence
94% confidence
Finding
response = requests.post(url, headers=headers, timeout=30)

Tainted flow: 'url' from os.getenv (line 230, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
body = {"Switch": switch}

    response = requests.post(url, headers=headers, json=body, timeout=30)
    result = response.json()

    if result.get("code") != 2000:
Confidence
95% confidence
Finding
response = requests.post(url, headers=headers, json=body, timeout=30)

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The skill exposes a device-token retrieval function in addition to direct feeder operations. Expanding a control skill to mint or fetch access tokens increases the blast radius: anyone permitted to invoke the skill may gain reusable credentials that enable further device API access beyond the immediate requested action.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Allowing the remote API endpoint to be overridden by environment variable lets the skill send authenticated traffic to arbitrary network destinations unrelated to the feeder vendor. In this skill context, requests contain app credentials, signatures, and sometimes access tokens, so endpoint override materially increases exfiltration risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill enables remote feeding, schedule modification, and pet-detection toggling, all of which can change real-world device behavior, but the description does not warn users that commands may actuate hardware or persist configuration changes. In a device-control context, missing disclosure increases the chance of unintended feeding, harmful schedule changes, or unsafe automation being triggered without informed consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation lists sensitive credentials and device tokens, including app secrets and device access tokens, without any warning about secure storage, redaction, or rotation. Exposure of these values could allow unauthorized API access to query devices or issue remote feeding and configuration commands against a user's feeder.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal