ClawHub

Tibber Energy

Security checks across malware telemetry and agentic risk

Overview

This Tibber energy skill is mostly coherent, but its smart-home control mode can run arbitrary local shell commands when enabled.

Install only if you understand the command-execution feature and will keep control mode in dry-run until every command and threshold is verified. Avoid using --execute in unattended agent workflows or with command strings influenced by prompts, remote content, or untrusted config. Prefer read-only price and optimization commands unless you specifically need local automation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_cmd(label: str, cmd: str, execute: bool):
    print(f"{label}: {cmd}")
    if execute:
        subprocess.run(cmd, shell=True, check=True)


def command_control(args, token, home_id):
Confidence
99% confidence
Finding
subprocess.run(cmd, shell=True, check=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
76% confidence
Finding
The skill clearly requires sensitive capabilities including environment-variable access, local file reads, network access to the Tibber API, and shell execution, yet those capabilities are not explicitly declared as permissions. This weakens reviewability and consent because users may not realize the skill can execute commands or access local secret/config files.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill description focuses on energy insights and automation, but the documented interface allows arbitrary shell commands to be supplied via --on-command and --off-command and then executed with --execute. In an agent setting, this creates a command-execution surface that can be abused by prompt injection, unsafe parameter passing, or mistaken user input to run unintended local commands.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The README explicitly documents `--on-command` and `--off-command` as arbitrary shell command execution for control actions. Even if intended for local smart-home automation, exposing shell execution as a first-class feature creates a command-injection and arbitrary-code-execution surface that is broader and riskier than simply toggling supported devices through a constrained API.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill advertises smart-home control based on energy prices, but its implementation allows execution of arbitrary shell commands instead of constrained device actions. That scope expansion makes the host system, not just smart-home devices, reachable through the skill and materially increases abuse potential.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal