Red Alert (Israel)

Security checks across malware telemetry and agentic risk

Overview

This alert skill has a legitimate emergency-notification purpose, but its main skill description under-discloses Docker, Home Assistant, 3CX calling, credential storage, and background persistence.

Review carefully before installing. Only use this if you intend to run a persistent alert monitor with Docker, OpenClaw WhatsApp posting, optional 3CX calls, and optional Home Assistant TTS. Configure all destinations explicitly, remove hard-coded defaults, restrict .env permissions, inspect the crontab entry, and avoid providing a Home Assistant token unless you trust the host and need speaker announcements.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Tainted flow: 'cmd' from os.getenv (line 92, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: "--channel", "whatsapp", "--target", target, "--message", message] r = subprocess.run(cmd, capture_output=True, text=True, timeout=15) if r.returncode == 0: log.info(f"✅ WhatsApp → {target}") else:
Confidence: 80% confidence
Finding: r = subprocess.run(cmd, capture_output=True, text=True, timeout=15)

Tainted flow: 'HA_URL' from os.getenv (line 30, credential/environment) → requests.post (network output)

Critical

Category: Data Flow
Content: def ha_tts(text: str): """הכרז קולית דרך רמקול Home Assistant""" try: r = requests.post( f"{HA_URL}/api/services/tts/google_translate_say", headers={"Authorization": f"Bearer {HA_TOKEN}", "Content-Type": "application/json"}, json={"entity_id": HA_TTS_SPEAKER, "message": text, "language": "iw"},
Confidence: 87% confidence
Finding: r = requests.post( f"{HA_URL}/api/services/tts/google_translate_say", headers={"Authorization": f"Bearer {HA_TOKEN}", "Content-Type": "application/json"}, j

Tainted flow: 'OREF_API' from os.getenv (line 24, credential/environment) → requests.get (network output)

Critical

Category: Data Flow
Content: def check_alert(): global last_alert_id, alert_sent_at, all_clear_sent try: data = requests.get(OREF_API, timeout=5).json() except Exception as e: log.warning(f"⚠️ API: {e}") return
Confidence: 82% confidence
Finding: data = requests.get(OREF_API, timeout=5).json()

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill documentation indicates capabilities to access environment variables, make network requests, and invoke shell commands, but it declares no permissions. This creates a transparency and trust problem: operators cannot accurately assess the skill's effective privileges, and the hidden shell/network capability materially increases the blast radius if the skill is modified, compromised, or misconfigured.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The documented purpose claims an OpenClaw-only design with no Home Assistant, wacli, or Docker monitor, yet the analyzed behavior includes additional undeclared components such as Docker, Home Assistant, and 3CX calling. This mismatch is dangerous because it conceals actual attack surface, secrets handling, and external integrations from reviewers, making unsafe deployment more likely and enabling privileged functionality that users did not consent to.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The installer prompts for a Home Assistant access token and writes it in plaintext to a local .env file without warning, permission hardening, or secure secret storage. On multi-user systems or systems with weak file permissions, this can expose a powerful automation credential that may allow an attacker to read state, control devices, or pivot into the home automation environment.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal