ClawHub

Living Room Air Monitor

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its air-monitoring purpose, but it needs review because it can auto-install Python packages at runtime and sends/collects private home telemetry with weak network trust controls.

Install only after reviewing the scripts and accepting the privacy tradeoff: this skill stores a history of living-room air readings, reads a Dirigera token from the workspace, and can send detailed reports through configured email or WhatsApp tools. Preinstall and pin matplotlib or remove the automatic pip install, restrict permissions on the token and CONTACTS.json, and avoid using the hub connection on untrusted networks until TLS verification or certificate pinning is fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (10)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
import matplotlib.dates as mdates
except ImportError:
    print("matplotlib not found. Installing...")
    os.system(f"{sys.executable} -m pip install matplotlib --quiet")
    import matplotlib
    matplotlib.use('Agg')
    import matplotlib.pyplot as plt
Confidence
98% confidence
Finding
os.system(f"{sys.executable} -m pip install matplotlib --quiet")

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill documentation describes capabilities to read and write local files, invoke shell commands, and access the network, yet no permissions are declared. This creates a transparency and policy gap: users and any permission-gating system cannot accurately assess or constrain what the skill will do, especially since it accesses tokens, contacts, external CLIs, and a local hub.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
Although reporting is mentioned at a high level, the skill behavior materially expands into sensitive operations: reading a shared contacts file, reading an auth token, invoking external messaging tools, and connecting to a hardcoded local hub with TLS verification reportedly disabled. The most serious issue is the insecure network trust model, which can expose credentials or sensor data to interception or enable hub impersonation on the local network.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Automatically installing packages during chart generation expands the script's trust boundary to the package index and local Python environment at execution time. In a skill context, this means a benign data-visualization action can unexpectedly modify the host system, introduce supply-chain risk, or fail in surprising ways on restricted systems.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script reads recipient data from a shared workspace CONTACTS.json located outside the skill's own data domain, creating a trust-boundary violation. If that shared file is modified by another skill, user, or process, reports could be silently redirected to an attacker-controlled email address or phone number, causing exfiltration of historical sensor data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill sends historical air-quality readings through email or WhatsApp but does not clearly warn users that data will be transmitted to external services and recipients. Even if the content seems low sensitivity, environmental data, timestamps, and occupancy-adjacent patterns can reveal household routines and should be treated as private telemetry.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The documentation references sensitive materials such as the Dirigera token file and shared contacts configuration without any handling guidance. This increases the risk of accidental exposure through weak file permissions, logs, backups, or unsafe sharing of workspace contents.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code performs a pip install without explicit consent, warning, or confirmation, which can change the runtime environment as a side effect of simply generating a chart. This is dangerous because it can bypass expected change-control, trigger network access unexpectedly, and pull code from external sources in environments that should remain deterministic or offline.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The sending functions transmit historical air-quality reports over email or WhatsApp without any built-in confirmation or user-facing warning in the execution path. In an agent skill context, that makes unintended external sharing easier and increases the chance of quiet exfiltration to a misconfigured or malicious recipient, especially since contact details are loaded automatically from shared state.

Session Persistence

Medium
Category
Rogue Agent
Content
### CONTACTS.json

Create `~/.openclaw/workspace/CONTACTS.json` with your contact information:

```json
{
Confidence
82% confidence
Finding
Create `~/.openclaw

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal