ClawHub

Nanoleaf (Picoleaf)

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Nanoleaf lighting controller, with expected but sensitive setup steps for installing a CLI and storing a local device token.

Install only if you are comfortable trusting the Picoleaf package source. Keep ~/.picoleafrc private, preferably mode 600, and revoke or regenerate the Nanoleaf token if the file is shared, backed up insecurely, or exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Session Persistence

Medium
Category
Rogue Agent
Content
1. Find Nanoleaf IP: Check router or use mDNS: `dns-sd -Z _nanoleafapi`
2. Generate token: Hold power button 5-7 sec until LED flashes, then within 30 sec run:
   `curl -iLX POST http://<ip>:16021/api/v1/new`
3. Create config file `~/.picoleafrc`:
   ```ini
   host=<ip>:16021
   access_token=<token>
Confidence
90% confidence
Finding
Create config file `~/.picoleafrc

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal