ClawHub

北京聚英电子|聚英云设备控制

Security checks across malware telemetry and agentic risk

Overview

This skill clearly describes a Juying Cloud IoT control integration that can operate real devices using the user's own API token, with no hidden code or persistence found.

Install only if you trust the skill with your Juying Cloud API token and understand that it can open or close connected device channels when you ask it to. Prefer a limited or revocable token if available, verify the exact device and channel before control commands, and avoid using it for safety-critical equipment without an added confirmation process.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documents live IoT control operations that can open or close device channels, but it provides no safety warnings, confirmation requirements, or usage constraints about real-world effects. In an automation context, these endpoints may actuate physical equipment, so exposing them without explicit caution increases the risk of unintended or unsafe actions by users or downstream agents.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples instruct the agent to perform real-world device control actions such as opening and closing channels immediately, without requiring a confirmation step or warning the user about physical consequences. In an IoT control context, ambiguous, mistaken, or unauthorized commands could trigger unsafe operations affecting equipment, power, or connected environments.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The onboarding guidance tells users to obtain and enter an API token but provides no warning that the token is a sensitive credential equivalent to account access. This increases the risk of accidental exposure in prompts, logs, screenshots, or shared environments, which could allow unauthorized querying or control of devices.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal