ClawHub

AirShell ๐Ÿข

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly an air-quality sensor setup guide, but it gives the agent sensitive setup authority and optional silent device control that users should review before installing.

Install only if you want an agent to configure and query your AirShell sensor, store household context locally, use a gateway webhook token, call a weather API with your location, and possibly control a purifier. Review deployment.md carefully, avoid unnecessary health details, use revocable limited webhook credentials, and do not enable purifier automation unless you trust the script path, Python environment, and credential handling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill instructs the agent to inspect its own gateway or environment-derived configuration to obtain a webhook URL and token, but it does not declare permissions or clearly scope that sensitive access. This is dangerous because it expands the skill from simple domain guidance into secret discovery, increasing the risk of unintended credential exposure or misuse by a broadly triggered skill.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented purpose is an air-quality advisory/setup skill, but the behavior includes operational control of external systems, including optional purifier control via local scripts and broader integration actions. Description-behavior mismatches are dangerous because users and reviewers may approve the skill under a narrower trust model than the one actually exercised, enabling unexpected device control or access to other services.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The optional purifier-control section authorizes execution of local commands using script and python paths read from deployment data. Running local executables from configurable paths is dangerous because it can lead to arbitrary command execution or abuse of trusted local automation, especially if the deployment file can be modified or influenced by another process.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill tells the agent to discover its own webhook URL and token from internal configuration rather than obtaining a pre-approved connection reference. This is dangerous because it encourages introspection into sensitive agent configuration and secret material beyond what is necessary for normal conversational air-quality advice.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill activates on any mention of "AirShell," which is an overly broad trigger for a skill that can write deployment files, query devices, fetch external data, and push configuration. Broad activation is dangerous because accidental or adversarial prompting can cause the skill to run in contexts where the user did not intend operational actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The setup flow writes deployment data and posts configuration to a device, but the skill does not present a clear upfront warning that these are persistent and external side effects. This is dangerous because users may believe they are only answering advisory questions when they are actually authorizing state changes and network actions.

Missing User Warnings

High
Confidence
96% confidence
Finding
The purifier-control feature runs silently in the background and explicitly tells the agent not to mention it unless it fails. Hidden background device-control behavior is dangerous because it removes informed consent and auditability for actions that affect physical devices and local system execution.

Missing User Warnings

Medium
Confidence
74% confidence
Finding
The document describes automatic control of a physical device without an explicit warning that the agent may take system-impacting actions on the user's behalf. In an agent skill context, that can normalize unattended actuator behavior and lead users to enable automation without understanding when the purifier will run, what credentials are required, or how to disable it if behavior is undesirable.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The template explicitly prompts for sensitive household and health-related information such as room occupancy, infant age, elderly status, COPD, and other special notes, but provides no warning about sensitivity, retention, access control, or safe handling. In an agent-managed file, this creates a realistic risk of unnecessary collection, overexposure in logs/sync, or later disclosure to tools, plugins, or operators that do not need this data.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
1. Suggest appropriate alarm thresholds with reasoning (reference the docs for the standards that apply to their occupant type)
2. Ask them to confirm or adjust
3. Write `references/deployment.md` with the deployment context and agreed thresholds
4. Determine your webhook URL and token โ€” check your own agent/gateway configuration. Do not ask the user to provide these. If you cannot determine them, tell the user: *"I need my webhook URL and token to connect to the sensor โ€” this is how the sensor reaches me when an alarm fires. I couldn't find these automatically. You may need to check your agent's gateway config (for OpenClaw: `openclaw gateway status`)."*
5. POST the config to the device (see Pushing Config below)
6. Confirm: "AirShell is configured for [room]. Watching COโ‚‚, PM2.5, temperature, and humidity."
Confidence
86% confidence
Finding
Do not ask the user

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal