VacuumControl

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent guide for installing and using a Roborock vacuum CLI, with expected account and device-control risks that are mostly disclosed.

Install only if you are comfortable running an external CLI and giving it access to your Roborock account. Use it on a trusted machine, treat the cache file as sensitive, and only allow commands that physically control the vacuum when you clearly intend that action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill includes deletion of the authentication/cache directory using rm -rf without a strong warning about the consequence that stored credentials, session state, and local device metadata will be erased. In an agent context, destructive filesystem commands are risky because a user may not realize they are invalidating authentication and potentially disrupting automation until after execution.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal