Back to skill

Security audit

Govee Lights Control

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it advertises: control Govee lights through Govee’s API using a user-provided API key.

Install only if you are comfortable giving the agent a Govee API key that can control devices on that account. Use exact device names or list devices first, keep the API key private and revocable, and consider using a virtual environment for the Python dependency.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Tainted flow: 'HEADERS' from os.environ.get (line 19, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
def get_devices():
    """Fetch all devices linked to your Govee account."""
    response = requests.get(f"{BASE_URL}/user/devices", headers=HEADERS)
    response.raise_for_status()
    data = response.json()
    if data.get("code") == 200:
Confidence
90% confidence
Finding
response = requests.get(f"{BASE_URL}/user/devices", headers=HEADERS)

Tainted flow: 'HEADERS' from os.environ.get (line 19, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
"capability": capability
        }
    }
    response = requests.post(
        f"{BASE_URL}/device/control",
        headers=HEADERS,
        json=payload
Confidence
90% confidence
Finding
response = requests.post( f"{BASE_URL}/device/control", headers=HEADERS, json=payload )

External Transmission

Medium
Category
Data Exfiltration
Content
"capability": capability
        }
    }
    response = requests.post(
        f"{BASE_URL}/device/control",
        headers=HEADERS,
        json=payload
Confidence
80% confidence
Finding
requests.post( f"{BASE_URL}/device/control", headers=HEADERS, json=

Env Variable Harvesting

High
Category
Data Exfiltration
Content
import requests

# Get API key from environment variable
API_KEY = os.environ.get("GOVEE_API_KEY")
if not API_KEY:
    raise ValueError("GOVEE_API_KEY environment variable not set. "
                     "Get your key from https://developer.govee.com/")
Confidence
70% confidence
Finding
os.environ.get("GOVEE_API_KEY

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.