ClawHub

ReefBeat

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for local ReefBeat aquarium control, but it gives an agent broad unauthenticated power to scan the LAN and change life-support equipment without built-in safeguards.

Install only if you intentionally want an agent to control local Red Sea ReefBeat equipment. Use read-only commands by default, manually confirm every POST/PUT/DELETE, verify the device IP and payload, avoid reset/firmware/dosing/pump/top-off changes unless explicitly intended, and run discovery only on networks you own.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The CLI exposes generic GET/POST/PUT/DELETE access to arbitrary paths on any user-supplied IP address, not just known ReefBeat devices or approved device API routes. In an agent context, this creates an SSRF-like arbitrary internal HTTP client capability that could be used to probe, access, or modify other local-network services far beyond aquarium control.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
The discovery routine scans an entire /24 subnet and probes every host over HTTP, which gives the skill broad internal network enumeration capability. While intended to find ReefBeat devices, in an agent setting this expands the tool's reach into general host discovery and service probing on the user's LAN, increasing privacy and misuse risk.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The description claims support for 'ALL actions on ALL devices' and says to use it for 'ANY reef tank / aquarium request,' which is overly broad activation language. That increases the chance the skill is invoked for loosely related prompts and can lead to unintended execution of powerful network/device-control actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation provides commands for discovery, manual fill, pump control, turning lights off, maintenance mode, and other direct device-state changes without prominent safety warnings or confirmation requirements. In an aquarium context, mistaken actuation can harm livestock, disrupt life-support equipment, or cause water-management failures, making this materially dangerous.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation advertises unauthenticated destructive operations such as factory reset, emergency mode, cloud enable/disable, and delete-style actions over plain HTTP without any caution, confirmation, or safety guidance. In the context of a skill explicitly intended to support ALL actions on aquarium life-support equipment, this materially increases the chance of unsafe or accidental use and could enable harmful device state changes on a local network.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The Cloud API section includes a credential exchange flow and embedded Basic authorization value with no warning about handling account credentials, token storage, or transmission risk. Even though marked as reference-only, exposing a ready-to-use auth pattern can encourage insecure credential use, accidental logging, or expansion of the skill into cloud account access beyond the stated local-control scope.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal