Starling Home Hub (Nest/Google Home)

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local wrapper for controlling a Starling Home Hub, with real smart-home security risks that are explained rather than hidden.

Install only if you are comfortable letting an agent use your Starling API key to control local smart-home devices. Prefer a read-only or least-privilege key, avoid --http and --key, pin the hub certificate with --cacert when possible, and require manual confirmation for lock, camera, stream, and home/away changes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Tool Parameter Abuse

High

Category: Tool Misuse
Content: - Create separate keys for different automation tasks if possible ### TLS Certificate Verification - HTTPS is the default, but the script uses `curl -k` (skip cert verification) because Starling Home Hub uses a self-signed certificate - This is acceptable on a **trusted local network** but increases MITM risk on untrusted networks - To pin the hub's certificate instead: `starling.sh --cacert /path/to/hub-cert.pem status` - When `--cacert` is provided, `-k` is not used and full certificate verification applies
Confidence: 94% confidence
Finding: curl -k` (skip cert verification) because Starling Home Hub uses a self-signed certificate - This is acceptable on a **trusted local network** but increases MITM risk on untrusted networks - To pin th

VirusTotal

51/51 vendors flagged this skill as clean.

View on VirusTotal