ClawHub

Usb Light Sensor Reader

Security checks across malware telemetry and agentic risk

Overview

The sensor code is local and simple, but the included guide expands the read-only sensor skill into AI-driven USB relay control without enough safety scoping.

Install only if you are comfortable with local USB serial access and review USAGE-GUIDE.md carefully. The core sensor reader appears local and read-only, but do not copy the relay examples unless the attached device is harmless, supervised, and has a manual way to shut it off. Avoid storing real API keys in plaintext config files, and understand that adding your user to dialout grants ongoing serial-device access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide provides multiple examples that directly actuate a USB relay and automate switching behavior for connected devices, but it does not include any safety warning about physical-world effects, load limitations, or the need to verify what is attached. In an AI-agent context, this increases the chance that an agent or user will run examples that unexpectedly energize hardware, creating safety, equipment-damage, or operational risks.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The configuration example includes an `api_key` field inline without guidance on secret handling, which can normalize pasting credentials into plaintext config files that may be committed, shared, or read by other local processes. While this is documentation rather than executable code, it still promotes insecure secret-management practices.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The setup instructions tell users to add themselves to the `dialout` group, which grants ongoing access to serial devices, but they do not explain the security implications of that privilege change. While common for hardware access, undocumented privilege elevation can unnecessarily broaden device access and may persist beyond the immediate need.

Unpinned Dependencies

Low
Category
Supply Chain
Content
pyserial>=3.5
Confidence
94% confidence
Finding
pyserial>=3.5

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal