ClawHub

ST200TH 温湿度变送器

Security checks across malware telemetry and agentic risk

Overview

This IoT device-management skill is mostly purpose-aligned, but it can immediately change, restart, reset, and update devices without enough safety controls or warnings.

Install only if you intend to let an agent administer ST200TH devices. Confirm the exact target MAC before any write action, treat restart/reset/OTA/configuration changes as maintenance-window operations, avoid exposing MQTT passwords or network details in chat/logs, and use OTA or HTTP configuration only on a trusted isolated network.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README advertises destructive or high-impact operations such as device restart, factory reset, configuration changes, and OTA upgrade without any visible warning, confirmation guidance, rollback notes, or statement of operational consequences. In an agent-skill context, this increases the chance that an AI agent or user will invoke disruptive actions on production IoT devices, causing outages, loss of configuration, or unsafe state changes.

Missing User Warnings

Medium
Confidence
72% confidence
Finding
The restart command is described as immediately effective with no response, but there is no required warning or confirmation step. Restarting an IoT device can interrupt monitoring or control workflows and may cause temporary loss of telemetry or service availability if triggered accidentally.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill allows changing MQTT/TCP/HTTP server settings, credentials, reporting intervals, and protocol enablement without an explicit risk warning. Misconfiguration or malicious redirection of these parameters could disconnect the device, expose credentials, redirect telemetry to an attacker-controlled endpoint, or degrade device/network stability.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal