ClawHub

Jf Open Pro Smart Doorlock Control

Security checks across malware telemetry and agentic risk

Overview

This skill openly controls a smart door lock, but it allows immediate remote unlocking with weak documented safeguards.

Install only if you fully trust the publisher and can control who may invoke the skill. Before using it with a real lock, restrict the API endpoint to the intended JFTech regional host, avoid broad unlock triggers, and require explicit confirmation or stronger authorization before every unlock command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (8)

Tainted flow: 'url' from os.getenv (line 164, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
if access_token:
        body["accessToken"] = access_token

    response = requests.post(url, headers=headers, json=body, timeout=30)
    result = response.json()

    if result.get("code") != 2000:
Confidence
96% confidence
Finding
response = requests.post(url, headers=headers, json=body, timeout=30)

Tainted flow: 'url' from os.getenv (line 164, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
body = {"Name": "DoorFunction"}

    response = requests.post(url, headers=headers, json=body, timeout=30)
    result = response.json()

    if result.get("code") != 2000:
Confidence
95% confidence
Finding
response = requests.post(url, headers=headers, json=body, timeout=30)

Tainted flow: 'url' from os.getenv (line 164, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
}
    }

    response = requests.post(url, headers=headers, json=body, timeout=30)
    result = response.json()

    if result.get("code") != 2000:
Confidence
95% confidence
Finding
response = requests.post(url, headers=headers, json=body, timeout=30)

Tainted flow: 'url' from os.getenv (line 164, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
if keepalive_time > 0:
        body["KeepaliveTime"] = keepalive_time

    response = requests.post(url, headers=headers, json=body, timeout=30)
    result = response.json()

    if result.get("code") != 2000:
Confidence
96% confidence
Finding
response = requests.post(url, headers=headers, json=body, timeout=30)

Tainted flow: 'url' from os.getenv (line 164, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
"memberID": 1
        }

    response = requests.post(url, headers=headers, json=body, timeout=30)
    result = response.json()

    if result.get("code") != 2000:
Confidence
98% confidence
Finding
response = requests.post(url, headers=headers, json=body, timeout=30)

Vague Triggers

Medium
Confidence
95% confidence
Finding
Including the broad trigger word '开锁' creates a realistic risk of accidental invocation from ordinary conversation. In this skill's context, accidental triggering is especially dangerous because the action is not merely informational—it can remotely unlock a physical door, creating unauthorized physical access and safety risk.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill exposes remote unlock capability without documenting a mandatory confirmation, re-authentication, or authorization gate before execution. Because this is a physical-security control, a mistaken, coerced, or unauthorized invocation could directly enable unlawful entry, theft, or personal harm; the smart-lock context makes this materially more dangerous than a typical API action.

Missing User Warnings

High
Confidence
94% confidence
Finding
The skill can issue a remote unlock command immediately with no explicit confirmation, warning, or secondary authorization step. Because this controls a physical door lock, accidental invocation, prompt injection in higher layers, or misuse by an unintended operator can directly lead to unauthorized physical entry.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal