ClawHub

when-clock-skill

Security checks across malware telemetry and agentic risk

Overview

This is a real LAN clock-control skill, but it needs review because it can silently replace an existing alarm and includes broad device-admin protocol documentation beyond its normal clock features.

Install only if you are comfortable letting this skill change alarms on your LAN clock. Edit config.json to your own device IPs, list alarms before editing or deleting, and be careful using set_timer on a clock that may already have ten alarms because it can replace an existing alarm. Treat the bundled protocol docs as administrative reference material and avoid using their Wi-Fi, password, reboot, OTA, or factory-reset endpoints unless you intentionally want device administration.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (20)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares no permissions, but its own description clearly indicates it reads configuration from disk, may write or depend on local config state, and performs LAN HTTP requests to discovered clock devices. This creates a transparency and least-privilege problem: users and reviewers are not informed that invoking the skill can access local files and send commands over the network to physical devices.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The protocol documentation exposes a much broader control surface than the skill’s declared purpose of time announcement, weather broadcast, alarms, and timer reminders. In an agent-skill context, documenting unsupported capabilities such as network reconfiguration, password changes, OTA, reboot, and factory reset increases the chance that the implementation will invoke or later expand into dangerous device-administration actions that users did not intend to delegate.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
These lines document reading and setting SSIDs, Wi‑Fi passwords, BSSID binding, IP configuration, DNS, and MAC data, which are unrelated to announcing time or managing alarms. If exposed through an agent, this could let a prompt or misuse reconfigure the device onto attacker-controlled infrastructure, cause denial of service, or exfiltrate sensitive local network information and credentials.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The documentation includes login state discovery, password hashing requirements, and password-setting operations that are outside the skill’s stated purpose. In a skill ecosystem this creates a path for credential rotation, lockout, or unauthorized session establishment on the device, turning a convenience skill into an administrative control channel.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The documented action types include OTA, reboot, and factory reset, all of which are destructive or highly disruptive and unrelated to basic clock-control use cases. In the context of a conversational or agent-driven skill, such capabilities materially raise the risk of accidental or adversarial invocation leading to device downtime, configuration loss, or unauthorized firmware changes.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Several triggers are common everyday phrases like 'what time is it', 'set alarm', and 'delete alarm', which can cause accidental invocation in general conversation. Because this skill issues LAN commands to real clock devices and can modify or delete alarms, unintended activation can change device state or disrupt reminders without deliberate user intent.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list includes many very common conversational phrases such as '现在几点', '几点了', 'set alarm', and 'cancel alarm', which can be matched during ordinary speech and cause unintended invocation. Because this skill can modify device state by creating, editing, deleting alarms and timers on LAN-connected clocks, overbroad triggers increase the risk of accidental or unauthorized actions through ambiguous natural-language activation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation exposes destructive operations such as deleting alarms and modifying existing ones without any confirmation, rollback, or warning step. In a voice-triggered skill controlling real devices, this can lead to silent loss of alarms or unexpected schedule changes from misrecognition, accidental invocation, or prompt/agent misuse.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation explicitly exposes an API that returns and accepts highly sensitive values including Wi‑Fi SSIDs, Wi‑Fi passwords, device MAC addresses, BSSIDs, IP configuration, and DNS settings over local HTTP. Even though this is documentation rather than executable code, it describes an insecure interface design that can enable credential disclosure and network reconnaissance if authentication is disabled, weak, or not consistently enforced.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The protocol documents powerful state-changing actions such as firmware upgrade, reboot, time setting, and factory reset, but does not indicate mandatory confirmation, authorization checks, or safeguards against accidental or unauthorized invocation. In a voice/agent skill context, these operations are more dangerous because natural-language triggers or automation mistakes could disrupt device availability or wipe configuration.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
This section documents that the device reads and transmits SSIDs, passwords, BSSID, MAC, IP, gateway, and DNS information, but does not warn that these are sensitive network identifiers and credentials. In an agent setting, missing disclosure increases the likelihood of over-collection, inadvertent logging, or unsafe transmission of secrets and local-network metadata.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation presents reboot, OTA, and reset operations as ordinary API actions without prominent warnings about service interruption, erased settings, or recovery implications. For a skill whose user-facing purpose is benign clock control, the lack of destructive-action warning makes accidental triggering more plausible and more dangerous.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
This function modifies device alarm state over the network immediately, without any built-in confirmation or explicit acknowledgment of the pending change. In an agent/voice-skill context, ambiguous utterances or misrouting could cause unintended alarm creation on a physical device, affecting availability and user trust.

Missing User Warnings

High
Confidence
92% confidence
Finding
Deleting alarms is a destructive device-state change, and the code performs it as soon as an index is provided, with no confirmation or safeguard. In a voice/agent setting this is more dangerous because accidental deletion of important wake-up or medication reminders can cause real-world harm or significant disruption.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The edit path updates existing alarms on the device without confirming which alarm will change or summarizing the modifications first. In this skill context, remote changes to wake-up schedules and reminders can materially affect the user's environment, so silent edits increase the chance of harmful unintended state changes.

Missing User Warnings

High
Confidence
96% confidence
Finding
When the alarm list is full, the timer-setting logic silently overwrites the 10th alarm instead of failing or asking permission. This is particularly risky in a clock/alarm skill because an innocuous timer request can destroy an existing important alarm, leading to missed wake-ups, appointments, or medication reminders.

Missing User Warnings

High
Confidence
97% confidence
Finding
When the device already has 10 alarms, setting a timer silently replaces the 10th existing alarm instead of failing or requiring confirmation. In a voice-controlled home device context, this can unexpectedly destroy an important scheduled alarm, creating integrity and safety risks such as missed wake-ups, medication reminders, or other time-sensitive events.

Overly Broad Trigger

Low
Category
Trigger Abuse
Confidence
80% confidence
Finding
The trigger '报时' is extremely short and generic, increasing the chance of accidental activation from unrelated speech or text. In this skill, activation can send commands over the LAN to a device, so even a low-complexity trigger can lead to nuisance behavior or unintended announcements.

Shadow Command Trigger

Medium
Category
Trigger Abuse
Confidence
88% confidence
Finding
The trigger 'set alarm' is broad and overlaps with common built-in assistant commands, creating a shadowing risk where users may invoke this third-party skill instead of an expected trusted system function. Because the skill can write alarms to LAN clock devices, this could redirect or alter reminder behavior unexpectedly.

Shadow Command Trigger

Medium
Category
Trigger Abuse
Confidence
90% confidence
Finding
The trigger 'delete alarm' conflicts with common built-in assistant behavior and is especially risky because it maps to a destructive action. If matched unintentionally or shadowing a trusted command path, it could remove alarms from the device and cause missed reminders or wake-ups.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal