ClawHub

Sphero Mini Control

Security checks across malware telemetry and agentic risk

Overview

The skill appears designed for Sphero Mini control, but its documentation includes a broad persistent Linux privilege change that users should review carefully.

Install only if you intend to control a Sphero Mini. Use the bleak-based setup, supervise movement modes in a clear bounded area, and avoid the Linux setcap or sudo troubleshooting commands unless you understand their system-wide effect and how to reverse them. Inspect or pin any external GitHub files before downloading them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Low
Confidence
89% confidence
Finding
The README promotes autonomous and randomized robot movement ('Cat Play Mode', drawing patterns) without any warning to clear the area, supervise operation, or avoid use near stairs, fragile items, pets' faces, or hazards. While this is not a software exploit, it is a real safety issue because users may run the robot in unsafe environments, leading to minor property damage or harm to pets/people.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill promotes autonomous and random physical movement of a robot, including a cat-play mode, without a prominent safety warning about collisions, falls, damage to property, or unintended interaction with pets and people. In a physical-world control skill, underemphasizing operational safety can lead to real-world harm even if the code is not traditionally exploitable.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The documentation provides multiple movement-control examples, including random movement for pet play, without warning users that the robot can move unpredictably and may collide with people, pets, or objects. In a physical-device control skill, omission of basic safety guidance can contribute to minor injury, pet distress, or property damage, especially when users copy-paste examples directly.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal