ClawHub

Broadlinkac

Security checks across malware telemetry and agentic risk

Overview

The skill’s storage of AC configuration, API keys, location, and weather lookups appears disclosed and aligned with an AC-control/weather-aware purpose.

Install only if you are comfortable storing AC-related configuration and API keys under ~/.ac_controller/config.json and sharing location/weather lookup data with the named external services. Review the config file permissions, avoid reusing sensitive API keys, and disable or avoid network-backed weather features if you do not want location data sent to third parties.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Low
Confidence
94% confidence
Finding
The skill explicitly states that configuration is persisted to ~/.ac_controller/config.json, but the quick-start flow does not present this as a clear warning before users supply API keys, location, and device settings. In an agent context, silent persistence to the home directory can expose secrets or location data to other local processes, backups, or later sessions without the operator realizing it.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The weather, alert, and city lookup features send location data and related queries to external services (QWeather, OpenStreetMap, NMC), but the skill description does not clearly warn that using these APIs causes outbound network requests that may disclose approximate location, usage patterns, or API credentials. In an AI-agent setting, this is more dangerous because an autonomous agent may invoke these functions without the user understanding that third-party data sharing is occurring.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal