ClawHub

Tuya Smart Home

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for Tuya smart-home control, but it gives broad authority over real devices without enough safety and secret-handling guidance.

Install only if you are comfortable letting an agent control real smart-home devices. Keep Tuya credentials and local keys out of chat logs, shell history, and shared files; run scans only on your own network; and require explicit confirmation before any command that changes device state, especially feeders, plugs, curtains, or reset-like actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Low
Confidence
85% confidence
Finding
This skill exposes commands that can trigger real-world actions such as feeding pets, opening curtains, and switching powered devices, but it does not include an explicit warning to verify the intended target device and action before execution. In an agent setting, ambiguous device selection, stale identifiers, or prompt confusion could cause unintended physical actions, making this a real safety and security issue even without malicious intent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The reference explicitly documents retrieving and using Tuya sensitive materials such as access tokens, access_id/access_secret, and especially the device local_key, but it provides no warning that these secrets enable direct device control and should be stored, logged, and transmitted securely. In this smart-home context, exposure of a local_key or API credentials can let an attacker control household devices, enumerate device state, or bypass cloud restrictions via local network access.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The guide recommends tinytuya.deviceScan(verbose=True) without any caution that active network scanning may expose information about local devices, trigger monitoring alerts, or violate policies on networks the user does not own or administer. In a smart-home skill, scanning is relevant functionality, but documenting it without boundaries normalizes potentially intrusive reconnaissance behavior.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal