ClawHub

TM Soil Moisture Skill

Security checks across malware telemetry and agentic risk

Overview

This is a local soil-moisture analysis skill with a disclosed simulated-weather limitation, not hidden or malicious behavior.

Install only if you are comfortable giving the skill read access to the local agriculture database path it expects. Treat irrigation recommendations as advisory and based mainly on local soil readings unless the code is updated to use real, fresh weather data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The function claims to incorporate future weather trends into irrigation advice, but it uses hard-coded simulated values instead of real forecast data. In an agriculture decision-support skill, this can mislead users into making irrigation choices based on false assumptions, potentially causing crop stress, water waste, or reduced trust in the system.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal