ClawHub

Robotics

Security checks across malware telemetry and agentic risk

Overview

This skill is openly about robot control, but it presents physical motion over messaging without enough safety, authorization, or control limits.

Install only if you understand this is meant to control physical robots. Use it in simulation or a cleared supervised area first, add your own authentication and confirmation before accepting IM commands, enforce movement limits, and verify an emergency stop is available before connecting real hardware.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README presents direct remote-control commands for physical robots and frames them as easy to use via messaging apps, but it does not include any safety guidance, operator-authentication caveats, emergency-stop requirements, or warnings about unintended motion. In a robotics skill, omission of these safeguards increases the risk that users deploy or invoke motion commands in unsafe environments, leading to injury, property damage, or unsafe autonomous behavior.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly demonstrates robot motion commands such as moving forward and turning, but provides no safety warnings, operator prerequisites, environmental constraints, or emergency-stop guidance. For a skill that controls physical robots, omission of these safeguards can lead users to issue movement commands in unsafe environments, increasing the risk of collision, property damage, or bodily injury.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill directly converts natural-language input into physical robot actions without any confirmation, authorization check, safety interlock, or bounds validation. In a robotics-control context, this is dangerous because accidental, spoofed, or socially engineered commands can immediately cause unsafe motion, property damage, or injury.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill establishes outbound connections to IM platforms during initialization without clear disclosure, consent, or restriction over what external service is being contacted. This expands the attack surface and can expose command/control channels or metadata to third-party platforms unexpectedly, especially in enterprise or safety-sensitive deployments.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal