Control4 Home

The skill provides extensive control over Control4 smart home devices. The `scripts/control4_cli.py` file includes a `cmd_call` function that allows calling any exposed method on any Control4 entity. This generic access, even with an `--allow-sensitive` flag for specific keywords, presents a significant vulnerability. A malicious prompt to the AI agent could exploit this capability to execute unauthorized or harmful commands (e.g., disarming security panels, unlocking doors, manipulating critical systems) beyond the user's explicit intent. There is no evidence of intentional malicious behavior such as data exfiltration or persistence mechanisms within the skill itself, classifying it as a high-risk vulnerability rather than outright malware.