Back to skill

Security audit

RootONLocal-LocalWeb-ControlV2.0.4

Security checks across malware telemetry and agentic risk

Overview

This skill is openly for local smart-home control, but it handles reusable IoT credentials and recommends unsafe local/TLS security practices that users should review before installing.

Install only if you trust the RootONLocal app, the local machine, and the LAN. Treat the LocalWeb username/password as sensitive secrets, avoid HTTP mode, avoid clients that disable TLS verification, and require explicit confirmation before commands that change blinds, HVAC, plugs, or IR remotes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The spec explicitly documents that `GET /iot/info` returns LocalWeb `user` and `password` in plaintext, and the API also exposes station IPs, device IDs, and inventory data. Even though the server is intended to bind only to 127.0.0.1, it also allows `Access-Control-Allow-Origin: *`, so any local webpage, browser context, or untrusted app process able to reach loopback could harvest credentials and directly control or query IoT devices; in this skill context, that capability is core to operating the home automation environment, which makes the exposure especially sensitive.

Intent-Code Divergence

Low
Confidence
80% confidence
Finding
The documentation relies on 'loopback-only' as the security boundary while simultaneously acknowledging that external reachability would expose credentials. That assumption is brittle: loopback services are commonly reachable by local malware, browser-based attacks against localhost, port forwarding, misconfiguration, debugging bridges, or container/network edge cases, so treating localhost binding as a substitute for authentication is unsafe.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly enables real-world actuation of IoT devices such as lights, blinds, and air conditioners, but the surfaced description does not prominently warn that invoking the skill can immediately change physical device state. In an LLM tool context, insufficient side-effect disclosure increases the risk of accidental or misunderstood activation, which can affect safety, privacy, comfort, or energy usage even if no classic software exploit is present.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The skill explicitly instructs clients to retrieve local admin credentials from http://127.0.0.1:18080/iot/info and replay them to device-control endpoints, while also issuing real state-changing commands to local IoT devices. In this context, the absence of clear user-facing consent, warning, and secret-handling guidance increases the risk of silent local-network control and credential exposure through logs, prompts, or downstream tooling.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The spec requires sending `user` and `password` on every request, including over plain HTTP when `useHttps=false`, which exposes credentials to interception on the local network and increases the blast radius of logging or memory disclosure. Even when HTTPS is used, repeatedly transmitting static credentials without stronger session protection or explicit user warning creates unnecessary credential exposure.

Missing User Warnings

High
Confidence
98% confidence
Finding
The spec explicitly recommends bypassing TLS certificate validation for private IP ranges, which defeats the core protection HTTPS provides against active man-in-the-middle attacks. On a local network, an attacker with routing, ARP spoofing, or rogue access point capability could impersonate the station, capture credentials, and issue unauthorized device commands.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.