ClawHub

Super Blueauto

Security checks across malware telemetry and agentic risk

Overview

This local Bluetooth-control skill is not malicious, but it needs review because it claims very broad control over nearby and connected devices without clear safety limits.

Review before installing. Use only with Bluetooth devices you own, require explicit confirmation before connect, disconnect, write, power, or batch actions, and avoid locks, health devices, or other safety-sensitive hardware unless the exact command behavior and recovery path are known.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The invocation examples are broad action phrases like scanning, connecting, toggling power, and disconnecting all devices, but they provide no activation boundaries, confirmation requirements, or device-scoping constraints. In a Bluetooth control skill, this can enable accidental or overly permissive execution against nearby or previously paired devices, including disruptive actions against speakers, sensors, sockets, or locks.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The permission statement emphasizes local-only access and no data collection, but it omits any warning that Bluetooth control can alter physical device state, interrupt peripherals, or affect safety-relevant equipment. This framing can cause users to underestimate the operational risk of granting control to the skill, especially given its claimed support for broad device categories including locks, sockets, and health devices.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal