ClawHub

BLE → $ANIMA Minter

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises, but it handles nearby Bluetooth device identifiers, so users should treat its output and logs as privacy-sensitive.

Install only if you intentionally want to scan nearby BLE devices. Treat terminal output and anima_dag.gpickle as sensitive because they may reveal or correlate nearby devices; delete them when no longer needed. Consider pinning dependency versions before installation and avoid sharing any generated DAG or logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill describes scanning nearby BLE MAC addresses, hashing them, storing the results locally, and optionally gossip-syncing them, but provides no warning, consent guidance, or privacy notice. Even if MACs are hashed, they are still device-derived identifiers and can create persistent pseudonymous tracking artifacts, especially when shared across nodes or correlated over time.

Missing User Warnings

High
Confidence
97% confidence
Finding
The code performs BLE scanning of nearby devices, extracts peer MAC addresses, and prints both the raw MAC address and a derived hash without any consent, notice, minimization, or access controls. Even though the MAC is hashed later, the plaintext identifier is still exposed in logs, and the static salt makes hashes linkable across runs, enabling tracking of nearby devices and creating significant privacy risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill persists collected device-derived identifiers to a local gpickle file with no disclosure, retention policy, encryption, or integrity controls. This creates a durable record of nearby devices that can be accessed later for tracking or correlation, especially because the same static-salted hash will remain stable over time.

Unpinned Dependencies

Low
Category
Supply Chain
Content
aioblescan
networkx
Confidence
95% confidence
Finding
aioblescan

Unpinned Dependencies

Low
Category
Supply Chain
Content
aioblescan
networkx
Confidence
95% confidence
Finding
networkx

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal