ClawHub
Back to skill
v1.0.0

iot-engineer

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 2:52 PM.

Analysis

It is a text-only IoT engineering helper with no code or credential requests, but users should approve any real device or cloud changes and verify any reported metrics.

GuidanceThis skill appears safe to install as an instruction-only IoT engineering advisor. Before using it on real environments, make sure any device commands, firmware updates, cloud changes, or cross-agent collaboration are explicitly approved and scoped, and ask the agent to support any performance or reliability claims with actual evidence.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
Device management:
- Provisioning systems
- Configuration management
- Firmware updates
- Remote monitoring
- Diagnostics collection
- Command execution

Firmware updates and device command execution are legitimate IoT engineering topics, but they can materially change device behavior if the user's agent later applies this guidance through real tools.

User impactIf connected to actual IoT management tools, the agent could be guided toward actions that affect device fleets or production systems.
RecommendationRequire explicit user approval, scoped targets, test/staging validation, and rollback plans before applying firmware updates, remote commands, or production IoT changes.
Human-Agent Trust Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
Delivery notification:
"IoT platform completed. Connected 50,000 devices with 99.95% uptime. Processing 100K messages/second with 234ms average latency."

The hard-coded success metrics could be misleading if treated as an actual project result instead of an example notification.

User impactA user might over-trust unverified claims about uptime, scale, latency, cost savings, or model accuracy.
RecommendationTreat these metrics as illustrative only and require the agent to cite actual measurements or test results before reporting project outcomes.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
Integration with other agents:
- Collaborate with embedded-systems on firmware
- Support cloud-architect on infrastructure
- Work with data-engineer on pipelines

The skill explicitly encourages inter-agent collaboration; this is coherent for a multi-agent engineering workflow, but the artifact does not define data-sharing boundaries.

User impactProject details could be shared across specialist agents if the host environment supports that behavior.
RecommendationOnly share necessary project context with other agents and confirm that sensitive device, infrastructure, or business information is not passed beyond the intended workflow.