ClawHub

Smart Home Unified

Security checks across malware telemetry and agentic risk

Overview

This smart-home skill is not clearly malicious, but it asks for powerful home/account credentials while overstating what the code actually implements.

Review carefully before installing. Do not place Xiaomi passwords, Apple credentials, HomeKit PINs, or device tokens in TOOLS.md unless you trust the publisher and understand that other tools or future tasks may read it. Prefer scoped tokens, a secret manager, and manual confirmation for any command that controls physical devices; also treat the advertised HomeKit, AI, security, and multi-platform capabilities as unproven from these artifacts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The file advertises a real HomeKit integration, but the implementation is largely a stub: connect() only validates a PIN and logs success, and read/write helpers do not interact with actual HAP services. This is dangerous because downstream agents or users may rely on false state and false success signals when controlling home-automation devices, leading to unsafe automation decisions and incorrect security assumptions.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The connect() method claims to connect to HomeKit but does not establish any connection, discover devices, or verify session state before reporting success. In a home-control skill, this can mislead orchestrators into believing device control is available, causing silent operational failure or unsafe follow-on actions based on nonexistent connectivity.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide tells users to pass an API token directly on the command line, which commonly exposes secrets through shell history, process listings, CI logs, screenshots, and copied terminal transcripts. In a publishing workflow for a skill marketplace, leaked tokens could let an attacker impersonate the publisher, publish or modify skills, or access account-scoped resources.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly tells users to place highly sensitive credentials—Xiaomi account username/password, Apple credentials, HomeKit PINs, and device tokens—into TOOLS.md, but does not warn that this file may be plaintext, version-controlled, logged, or otherwise broadly accessible. If stored there, these secrets could be exposed to other tools, other skills, backups, or source repositories, enabling unauthorized control of smart-home devices and potential account compromise.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document tells users to pass an API token directly on the command line but does not warn that the token is sensitive or that shell history, process lists, CI logs, terminal recordings, and screenshots may expose it. If copied into shared environments or captured in logs, the token could let an attacker authenticate to ClawHub and publish, modify, or access account-scoped resources.

Ssd 4

Medium
Confidence
92% confidence
Finding
The Facebook promotion plan explicitly recommends a staged trust-building approach followed by 'soft promotion' and private-message outreach, which can bypass community transparency and moderation expectations. In an agent skill context, this normalizes covert advertising and manipulative social engineering tactics that could be reused for deceptive or abusive outreach at scale.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal