ClawHub

Unihiker K10 OTA

Security checks across malware telemetry and agentic risk

Overview

This skill is an OTA firmware guide with coherent intent, but its copyable examples expose unauthenticated firmware flashing over HTTP with a hardcoded Wi-Fi password.

Review this carefully before installing or copying the examples. Use only with an explicit maintenance mode, unique strong per-device credentials, network isolation, and preferably signed firmware or another authenticity check before accepting uploads. Do not expose the `/ota` endpoint on an untrusted network or with the provided example password.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The maintenance-mode example enables an AP with a hardcoded, weak password and exposes a firmware upload endpoint without any authentication or authorization checks. Anyone within radio range who knows or guesses the AP credentials can upload arbitrary firmware, resulting in full device compromise and persistent code execution.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The minimal example starts a predictable AP with a hardcoded password and immediately serves an unauthenticated /ota endpoint that writes directly to flash. An attacker in range can replace firmware with a malicious image, permanently backdoor the device, or brick it.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The OTA example exposes a firmware upload endpoint over plain HTTP with no authentication, authorization, or integrity verification. Any actor on the same network or connected to the fallback AP could upload malicious firmware, resulting in full device compromise, persistence across reboots, and possible takeover of connected systems or physical functions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The example operational guidance normalizes exposing a flash-write endpoint over a local AP without a clear warning that unauthorized users could install arbitrary firmware. In the skill context, this is more dangerous because the document is an implementation guide likely to be copied verbatim into production-like firmware.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal