Env credential access
Critical
- Finding
- Environment variable access combined with network send.
- Content
const token = process.env.TELEGRAM_BOT_TOKEN ?? ''
Clawhub Github Publish VA36tn
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This home-automation skill is mostly aligned with its purpose, but it grants broad no-confirmation control over home devices and has under-scoped Telegram, credential, and memory behavior.
Install only if you trust this skill to control your Home Assistant environment. Before enabling it, require explicit confirmations for device changes, remove or override the hard-coded Telegram chat ID, use a read-only database credential where possible, and decide whether home observations should be stored in memory.
Static analysis
VirusTotal
VirusTotal engine telemetry is currently stale for this artifact.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
#
ASI02: Tool Misuse and Exploitation
High
What this means
The agent could change lights, climate, media, scenes, or presence state without asking each time.
Why it was flagged
The skill authorizes the agent to perform home device-control actions without explicit user approval, including broad scene activation and presence-state overrides that can affect the physical home and security-related automations.
Skill content
You MAY execute these directly without asking the user: ... Scenes: activate any scene ... Presence sensors: override presence state
Recommendation
Require explicit confirmation or a user-defined allowlist for all device mutations, especially scenes, presence overrides, climate changes, and anything that could affect safety or security.
#
ASI03: Identity and Privilege Abuse
Medium
What this means
Installing users may not realize the plugin can use a Telegram bot credential to send messages on their behalf.
Why it was flagged
The plugin reads a Telegram bot token and uses it to act through the Telegram API, while the registry metadata declares no required env vars or primary credential.
Skill content
const token = process.env.TELEGRAM_BOT_TOKEN ?? '' ... fetch(`https://api.telegram.org/bot${token}/sendMessage`, {Recommendation
Declare TELEGRAM_BOT_TOKEN and TELEGRAM_NOTIFY_CHAT_ID in the skill metadata, document the exact Telegram permissions, and keep notification sending disabled unless explicitly configured.
#
ASI07: Insecure Inter-Agent Communication
Medium
What this means
Home-event messages could be sent to the wrong Telegram chat or fail in a way that hides a misconfiguration.
Why it was flagged
If no Telegram chat ID is set, the plugin sends notification content to a hard-coded chat ID, making the outbound destination unclear and potentially unintended.
Skill content
const chatId = process.env.TELEGRAM_NOTIFY_CHAT_ID ?? '35261635' ... body: JSON.stringify({ chat_id: chatId, text: `🏠 ${message}`Recommendation
Remove the hard-coded chat ID default, require an explicit user-provided destination, and show the configured chat before enabling notifications.
#
ASI06: Memory and Context Poisoning
Medium
What this means
Sensitive home activity patterns could be kept and reused across future conversations.
Why it was flagged
The skill instructs persistent storage of home observations and preferences, which may reveal occupancy, behavior, and device-use patterns, without stating retention, deletion, or user-consent bounds.
Skill content
Store significant observations (anomalies, patterns, user preferences) in Hindsight using `memory_store` with bank `home-assistant`
Recommendation
Ask before storing home observations, minimize what is saved, add retention/deletion guidance, and avoid storing occupancy or security-sensitive details by default.
#
ASI06: Memory and Context Poisoning
Low
What this means
Home entity names and activity counts may appear in the agent's context even when the user only loosely mentions a home-related keyword.
Why it was flagged
The plugin can automatically insert home database entity context into prompts when home-related keywords are detected; this is purpose-aligned but exposes private home metadata to the model context.
Skill content
api.on('before_prompt_build' ... HA_KEYWORDS ... prependContext: ['<home-context>', 'TimescaleDB has historical data for these top entities:'Recommendation
Make context injection opt-in or clearly configurable, and keep injected context limited to the minimum needed for the current request.