ClawHub

Daikin Aircon Controller

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Daikin air-conditioner control skill, but users should treat saved device credentials and discovery results as private.

Install this only if you want OpenClaw to control your Daikin AC units. Run discovery only on trusted networks, and keep data/devices.json private because it may contain internal device details plus API keys or passwords; remove that file or rotate credentials when uninstalling or sharing the workspace.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly promotes network-wide UDP discovery and storing device details plus API keys in a local JSON file, but it does not warn users that discovery scans the local subnet or that the configuration file contains sensitive information. This can lead users to expose internal device inventory and leave credentials insufficiently protected, especially on shared systems or when the skill directory is synced, backed up, or committed to source control.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly asks users to provide sensitive device credentials such as an API key or password, but it gives no warning about sensitivity, storage, masking, or how those secrets will be protected. In a home automation context, these credentials can enable unauthorized control of HVAC devices and may be exposed through logs, transcripts, or persistent configuration if handled insecurely.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill encourages network discovery via UDP broadcast and states that device information is persisted in data/devices.json, but it does not warn users that local network metadata and device identifiers will be scanned and stored. This can expose private infrastructure details such as internal IPs, MAC addresses, device names, and locations, increasing privacy and reconnaissance risk if the data is retained or accessed by others.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
This tool performs active local-network discovery and returns sensitive device identifiers including IP addresses and MAC addresses. In an agent context, exposing internal network topology and hardware identifiers without explicit user confirmation or minimization can leak private infrastructure details and enable follow-on targeting, fingerprinting, or device tracking.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal