ClawHub

smart-control-skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate smart-home control skill, but it gives an agent live control over real devices and scenes without built-in confirmation safeguards.

Install only if you want an agent to control your Smart Plus devices. Keep the OAuth token private, rotate it if exposed, and configure your agent workflow to ask before turning devices on or off, changing HVAC settings, or triggering scenes, especially scenes that may affect multiple devices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README advertises tools that can turn devices on/off and trigger scenes, but it does not clearly warn that these actions affect real physical devices and automations in the user's environment. In a smart-home context, unexpected execution could impact safety, privacy, energy usage, or trigger cascading automations, so the omission is a genuine security-relevant documentation weakness.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documents direct commands to power devices on/off, change air-conditioner settings, and trigger scenes without any warning about physical-world consequences or a requirement to confirm before execution. In a smart-home context, these actions can affect safety, security, energy usage, and occupant comfort, and scenes may control multiple devices at once with broader impact than the user realizes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation exposes tools that can directly alter a user's physical environment, including powering devices, changing AC settings, and triggering scenes that may execute multiple actions, but it does not include prominent safety warnings, confirmation guidance, or mention of real-world consequences. In a smart-home control skill, this omission increases the risk that an agent or user invokes impactful actions without adequate awareness or safeguards.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal