ClawHub
Back to skill

Security audit

Ros1 Noetic General

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly purpose-aligned, but it can launch and stop ROS programs and source local state/setup files with weak scoping, so it needs review before use.

Install only if you intend to let the agent operate on local ROS1 workspaces. Before using it on real robots or shared machines, review the scripts that source state files, keep state files in a trusted private directory, avoid passing arbitrary state-file paths, and require explicit confirmation before launches, stops, rosbag recording, rosbridge exposure, sudo/install commands, or real-world motion.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script uses eval on the stdout of helper scripts, which means any unexpected or malicious content emitted by those helpers is executed as shell code in the current process. In this skill context, the script is intended for local ROS workspace inspection and bringup checks, so introducing code execution via helper output is more dangerous because it expands the trust boundary from data parsing into arbitrary command execution on the operator's machine.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This script directly sources the user-provided state file and then sources paths read from that file via ROS_SETUP and WORKSPACE_SETUP. Because shell source executes file contents as code in the current process, an attacker who can influence the state file or referenced setup scripts can achieve arbitrary command execution with the privileges of the script runner. In this skill context, the script is explicitly intended for local ROS workspace operations, which commonly involve untrusted project files and developer environments, making the behavior more dangerous rather than less.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This is a true vulnerability because the script uses `source "$state_file"` on a user-supplied path, which executes arbitrary shell code contained in that file with the privileges of the script. A malicious or tampered state file can run commands immediately during stop operations, turning a metadata read into arbitrary code execution; in a ROS operations skill that routinely interacts with local workspaces and runtime processes, this is especially dangerous because operators may trust generated state files and run the script on real robot systems.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger conditions are extremely broad and match generic ROS terms such as ROS, catkin, roslaunch, and common bilingual phrases. That makes accidental invocation likely, which is dangerous here because the skill can transition from answering questions to executing local scripts and runtime operations on a host system.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The example triggers include vague conversational phrases like '帮我看一下 ROS' and 'check this ROS workspace,' which are not specific enough to distinguish harmless advice from permission to inspect or modify a local environment. In a skill with shell-backed workflows, ambiguous invocation can cause unintended access to local files, builds, or running robot systems.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The file recommends `rosbag record` and related capture/replay operations but does not warn that bag files may contain sensitive telemetry, map data, camera streams, robot state, or environment information. In a ROS operations skill, users may follow these commands in production or field environments, so omission of data-sensitivity guidance can lead to unintended collection, retention, or sharing of sensitive operational data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script uses eval on the output of another script: eval "$(...ros1_workspace_probe.sh --export)". If the probed script emits attacker-controlled shell syntax, that content is executed in the current shell, turning a workspace-discovery step into arbitrary command execution. In this skill context, users are explicitly encouraged to run local project operations against untrusted or mixed-trust ROS workspaces, which increases the danger because repository contents or helper scripts may be influenced by an attacker.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal