ClawHub

Off-grid radio for sovereign AI. LoRa mesh comms via Meshtastic — no internet required.

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly aligned with Meshtastic radio use, but it has review-worthy defaults around location publishing, device control, and local permissions.

Install only if you intend to operate a Meshtastic bridge and are comfortable with public MQTT exposure. Before running it, set map publishing off in code/config, avoid chmod 666 and use a restricted device group instead, protect or relocate /tmp message logs, and require explicit confirmation before sending messages, broadcasting position, forwarding digests externally, or rebooting the device.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly instructs the agent to read and write local files, run shell commands, and potentially access configuration/environment-backed settings, yet it declares no permissions. This creates a transparency and least-privilege failure: users may authorize the skill without understanding that it can touch local system state and invoke commands.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The advertised description understates the actual operational scope. Beyond simple send/receive messaging, the skill can expose location via map publishing, read telemetry and node metadata, forward message-derived summaries to external channels, and references privileged service control; this gap can mislead users into enabling a materially more invasive skill than expected.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The guide directs users to connect to the public Meshtastic MQTT broker and subscribe to broad regional topics, which expands the skill from local radio control into collection of wider network traffic. That can expose users to unnecessary third-party data and create privacy/compliance issues beyond the stated local-device use case.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill metadata emphasizes messaging, status, and message history, but the implementation also exposes direct device-control functions such as telemetry requests, traceroute, GPS position broadcast, and reboot. This capability expansion increases the attack surface and can cause unexpected actions on connected radio hardware that a user or caller would not reasonably infer from the stated purpose.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code exposes a reboot tool that can immediately disrupt the connected Meshtastic device, interrupting communications and potentially affecting emergency or off-grid use cases. Because reboot is unrelated to ordinary messaging and is available as a normal tool call, an agent or untrusted prompt could trigger denial of service against the radio device.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill can broadcast arbitrary latitude and longitude via mesh_send_position even though the skill description does not clearly establish location broadcasting as a core function. This can leak or spoof sensitive location data onto the mesh network, creating privacy and operational risks, especially in off-grid or safety-sensitive contexts.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The `map` command exposes control over map publishing even though the skill description emphasizes messaging, status, node listing, and recent messages. This hidden capability broadens the skill's operational scope and can change privacy-sensitive data sharing behavior, especially if location or node telemetry is published externally.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The setup wizard performs environment discovery and service diagnostics that are not reflected in the manifest description. Undisclosed host-inspection behavior increases attack surface and can leak system details or normalize broader-than-expected access for a messaging skill.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The setup flow executes host inspection commands (`lsusb`, `systemctl`) and enumerates device files, which goes beyond core message send/receive functionality. In an agent setting, this kind of ambient system probing can reveal environment details and create an unnecessary privilege/visibility expansion.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script explicitly advertises capabilities beyond basic send/receive messaging: it publishes map reports to a third-party MQTT service and exposes a local socket control API. That creates a material mismatch with the stated skill description and increases attack surface and privacy risk, especially because users may not expect background location publication or a control port.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code collects the device's GPS position and metadata, then periodically publishes it to an external broker (`mqtt.meshtastic.es`) every five minutes. Even with coarse rounding, this leaks sensitive location and identifying information (node ID, names, firmware/hardware details) to a third party without an evident necessity tied to the described messaging function.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The MQTT section enables receipt of global mesh traffic and includes public broker credentials and topics without a prominent warning that using these settings may expose user metadata, mesh activity, and potentially location-linked information to third-party infrastructure. In a Meshtastic skill, MQTT bridging is contextually relevant, but the lack of explicit privacy guidance makes accidental over-sharing more likely, especially because the configuration normalizes connection to public brokers.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly promotes global traffic monitoring via the MQTT bridge and local logging of mesh messages, but it does not clearly warn users that they may ingest third-party communications and persist them in plaintext on disk. In an agent-integrated context, this increases the risk of unintended collection, retention, and downstream processing of sensitive radio traffic without informed consent or safeguards.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README advertises capabilities to broadcast GPS position and reboot the connected device without clearly warning about operational consequences such as location disclosure, privacy loss, service interruption, or accidental device unavailability. In an AI-agent setting, exposing these actions as routine tools without stronger cautions can lead to unsafe invocation by users or autonomous workflows.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The monitoring examples instruct the system to read local mesh messages, translate them, classify them, and forward alerts/digests to Telegram or another external channel without a prominent warning that message contents may be sensitive. This can cause unintended disclosure of private communications, location hints, and inferred metadata to third-party services.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The MQTT bridge instructions and optional node-based MQTT settings enable receiving and publishing mesh traffic, including potential node position data, without an explicit warning that messages and telemetry may be exposed to external brokers and broader audiences. In a messaging skill, this is especially risky because users may assume traffic stays local to their attached radio.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The guide suggests `sudo chmod 666 /dev/ttyACM0`, making the serial device world-writable. Any local user or process could then access the radio, inject traffic, alter configuration, or interfere with communications, which is an unnecessary privilege broadening.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The reboot operation executes immediately with no warning, confirmation, cooldown, or privilege check despite being a disruptive management action. In an agent context, this makes accidental or prompt-induced device disruption much more likely because there is no safety interlock before the radio is restarted.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script appends high- and medium-priority mesh message contents directly to /tmp/mesh_monitor_log.txt, which persists potentially sensitive radio communications to local storage without any notice, consent, retention control, or access hardening. In this skill’s context, messages may include distress, location, or operational information from an off-grid mesh network, so silent persistence increases privacy and disclosure risk, especially on multi-user systems where /tmp is commonly accessible or monitored.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The bridge publishes location and device metadata externally with no user-facing warning, confirmation, or consent flow in the code path. In the context of an off-grid messaging skill, silent transmission of location data is especially risky because users may rely on it in privacy- or safety-sensitive situations.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
**Permission denied:**
```bash
sudo chmod 666 /dev/ttyACM0
# Or add udev rule for permanent fix
```
Confidence
99% confidence
Finding
chmod 666

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal