ClawHub

Loxone

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Loxone smart-home skill, but it needs review because it can control real devices and one helper can print a live token-bearing WebSocket URL.

Install only if you are comfortable giving this skill Loxone Miniserver credentials and device-control authority. Use a least-privilege Loxone account, prefer HTTPS, keep config.json private, protect or delete cached structure files, avoid running or sharing output from loxone_auth.py unless tokens are redacted, and require an explicit user request before any control command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares no explicit permissions even though its documented behavior and required dependencies clearly imply network access and likely local file read/write during execution. This creates a permission-model mismatch: a host or reviewer may treat the skill as lower risk than it actually is, reducing visibility and policy enforcement for a skill that can communicate with a smart-home controller and potentially modify state.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The test entrypoint loads credentials from a local config file and then prints authentication artifacts, including a token preview and the full WebSocket URL containing the token as a query parameter. In a smart-home control skill, these values can grant access to device state and control actions, and stdout is commonly captured by terminals, logs, CI systems, or agent telemetry.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script prints the JWT token and also prints a full WebSocket URL that includes the token in the query string, directly exposing a live bearer credential. Anyone with access to console output, shell history capture, logs, or monitoring systems could reuse that token to connect to the Miniserver and monitor or control smart-home functions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The class allows `use_https=False`, which causes authentication traffic to be sent over plain HTTP. Even though the password is transformed before transmission, the resulting authentication material and subsequent token exchange can be intercepted or modified by a network attacker, enabling unauthorized access to smart-home telemetry and control.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The client exposes direct state-changing operations such as send_command(), turn_on(), and turn_off() without any confirmation, authorization gate, safety policy, or explicit user acknowledgement before actuating physical devices. In a smart-home context, this can cause unintended or coerced actions against real-world systems (lights, switches, potentially other mapped controls), making accidental misuse and prompt-driven unsafe actuation more likely.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal