ClawHub

Sensibo

Security checks across malware telemetry and agentic risk

Overview

This Sensibo skill coherently controls the user's AC devices through Sensibo's official API, with some normal smart-home credential and state-change risks to handle carefully.

Install this only if you want the agent to control your Sensibo AC devices. Protect the API key, avoid committing or sharing TOOLS.md, and require confirmation for bulk actions, schedule deletion, and ambiguous room or device commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases are broad everyday commands like "how hot is it" and "AC off," which increases the chance the skill activates unintentionally in contexts where the user did not mean to control a Sensibo device. Because this skill performs real-world actions against HVAC devices, unintended invocation can cause unauthorized state changes, comfort issues, or wasted energy.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to store a live API key in TOOLS.md in plaintext and to send it in requests without warning about secret handling. That creates a credential exposure risk through local files, logs, screenshots, shell history, and tooling that may index or echo command lines containing the key.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill documents direct schedule deletion with no warning, preview, or confirmation guidance, enabling accidental destructive changes to automation. In a home automation context, removing schedules can silently disable expected HVAC behavior and create safety, comfort, or energy-management problems.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal