Claw ESP Expert

Security checks across malware telemetry and agentic risk

Overview

This ESP-IDF helper is broadly coherent with its purpose and discloses its network lookup, build, and device flashing capabilities, though users should invoke flashing tools deliberately.

Install this only if you want an ESP-IDF assistant that can inspect local ESP projects and, when asked, run idf.py build or flash monitor against connected hardware. Treat flash_and_monitor and execute_project as device-changing actions, review registry suggestions before adding dependencies, and avoid pointing it at unrelated private directories.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill declares no explicit permissions, yet its documented behavior clearly uses environment inspection (`$IDF_PATH`, local binaries) and network access (`resolve_component` querying the ESP Component Registry). This creates a transparency and policy-enforcement gap: hosts or users may authorize the skill under the assumption of reduced capability, while it can access local environment details and external services.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 89% confidence
Finding: The top-level description understates the skill's operational scope: beyond diagnostics, it performs network lookups, decodes binaries/logs with toolchain utilities, runs `idf.py flash monitor`, and orchestrates build/flash/monitor execution loops. This mismatch can mislead reviewers and users about the real trust boundary, causing them to invoke a skill that can interact with hardware, external services, and local project artifacts more extensively than advertised.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill metadata understates its capabilities: beyond environment checking and diagnostics, it can install ESP-IDF and perform flash/monitor execution workflows on connected devices. This is dangerous because users or policy systems may grant trust based on the manifest description while the tool can make system changes and interact with hardware, increasing the risk of unintended installation or device modification.

Description-Behavior Mismatch

Low

Confidence: 90% confidence
Finding: The skill performs component registry lookups and can generate manifest dependency updates, but these behaviors are not disclosed in the stated skill description. This creates a transparency and trust problem because the skill can influence dependency selection and project manifests in ways users and reviewers may not expect.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The code reaches out to an external component registry even though the manifest does not declare network-based behavior. Undisclosed network access is risky because it can leak project intent or metadata, introduce supply-chain influence through remote suggestions, and bypass policy decisions that depend on accurate capability declarations.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal