ClawHub

pugoing-smart

Security checks across malware telemetry and agentic risk

Overview

This Pugoing smart-device helper is mostly purpose-aligned, but it can send the configured API key to arbitrary URLs and trigger device-control actions without clear safeguards.

Install only if you trust the skill and can keep request specs under user control. Avoid the full-url option, point PUGOING_BASE_URL only at a trusted Pugoing server, treat PUGOING_API_KEY as a secret, and require confirmation of host, device, and action before allowing control commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documentation describes network access, environment-variable credential use, and file-based/stdin inputs, but no explicit permissions are declared. This creates a transparency and governance gap: an agent or reviewer may underestimate that the skill can read secrets, read files, and make outbound requests, which can enable credential misuse or unintended data exfiltration.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill is presented as a Pugoing-specific helper, but the interface allows arbitrary full URLs, custom headers, and effectively general-purpose API invocation. That mismatch is dangerous because users and higher-level agents may trust it as a narrow device-control skill while it can be repurposed for SSRF, data exfiltration, unauthorized external calls, or interactions beyond the stated platform.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The client accepts a caller-supplied full URL and arbitrary HTTP method, allowing the skill to act as a generic HTTP proxy rather than a Pugoing-scoped API wrapper. In an agent setting, this can be abused for SSRF, unintended access to internal services, and exfiltration of environment-derived credentials such as the X-API-Key to attacker-controlled endpoints.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
By honoring spec['url'] directly, the code permits outbound requests to arbitrary endpoints, which is unjustified for a skill meant to query and control the Pugoing platform. In context, this substantially increases danger because the skill may run with network access and an API key in the environment, enabling SSRF or credential leakage to external hosts.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation encourages natural-language device control without warning that these calls can change device state and affect the physical environment. In a smart-control context, ambiguous or unsafe prompts could unlock doors, switch power, alter building systems, or otherwise cause safety, privacy, or operational harm.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The skill instructs users to provide an API key through environment variables but gives no guidance on secure credential handling. While this is common practice, the absence of warnings increases the chance of keys being hardcoded, logged, exposed in shell history, or reused insecurely across environments.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The client automatically injects the PUGOING_API_KEY into outgoing headers and sends request data without any restriction or disclosure. Combined with the arbitrary-URL behavior, this can silently transmit sensitive credentials or user-provided data to unintended destinations, making the issue more dangerous in this skill than in a tightly scoped internal client.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal