ClawHub

Dgx Spark Temperature

Security checks across malware telemetry and agentic risk

Overview

This skill is a real DGX Spark temperature checker, but it may run for unrelated temperature questions and uses a visible SNMP community string to query a specific network device.

Install only if you are authorized to query dgx-spark1.fiber.house and understand that the included community string is visible to anyone who can read the skill files. Narrow the trigger wording before use so generic temperature questions do not contact infrastructure, and prefer moving the credential to protected configuration or SNMPv3 for broader sharing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases are broad enough to match generic temperature questions such as 'body temperature' or 'how hot things are running', which can cause the agent to invoke this skill outside its intended DGX Spark context. That creates unintended network access to a specific internal host and may disclose hardware and system metadata when the user did not ask for infrastructure information.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The skill omits an explicit warning that it performs an SNMPv2c query with a community string against a specific host and can reveal device metadata beyond temperatures. Even though the community is read-only, the lack of disclosure increases the chance of surprise network access, unintended data exposure, and misuse in contexts where such access is not expected.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script performs an SNMPv2c query using a hardcoded community string, which sends access credentials in cleartext and embeds them directly in the file. This creates a real credential-exposure risk: anyone with file access can recover the community string, and anyone on the network path can capture it and reuse it to query the monitored host.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal