peaq Robotics

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed ROS 2 helper for peaq robotics; it has operational power, but I found no hidden transfers, exfiltration, destructive behavior, or deceptive installation path.

Install only if you intend to let an agent operate your existing peaq ROS 2 workspace. Verify PEAQ_ROS2_ROOT and config paths, approve DID/storage/access-control mutations deliberately, avoid storing secrets, and stop background ROS nodes when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill exposes shell execution, file-read, and network-capable behavior but does not declare corresponding permissions. That weakens review and policy enforcement because operators may approve the skill based on incomplete capability disclosure, even though it can invoke ROS 2 commands, read JSON files via @/path inputs, and interact with networked services.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 87% confidence
Finding: The documented purpose understates the operational scope: beyond simple core start/stop and service calls, the skill also supports lifecycle transitions, identity-card extraction/construction, and a funding-request helper, with the finding also suggesting additional node control. Description/behavior drift is dangerous because reviewers and users may authorize the skill under a narrower trust model than its real functionality, increasing the chance of unintended node control or metadata handling in a robotics environment.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: This library function introduces a wallet-funding request capability in a skill whose declared scope is limited to running ROS 2 nodes and calling DID, storage, and access-control services. Even though the function only prints a formatted funding request rather than transferring funds directly, adding a funding workflow expands the operational scope and can be abused by higher-level code or social engineering to solicit funds unexpectedly.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The function emits a funding request containing a wallet address, amount, and reason even though funding operations are outside the stated purpose of the skill. This creates an unjustified payment-oriented behavior that could be invoked by an agent or wrapper workflow to request funds under the guise of normal robotics runtime setup, increasing the risk of deceptive or unintended fund solicitation.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The script prints the wallet address directly to stdout as part of the funding request line, which can expose financial identifiers in logs, transcripts, terminal history, or telemetry. While a wallet address is not typically secret like a private key, disclosing it without warning can still leak operational metadata and facilitate profiling, targeting, or unwanted association with the robotics deployment.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal