Security audit

mqttasgi - IOT backbone for Django

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a coherent mqttasgi usage guide, with privacy and prompt-injection cautions around AI automation examples but no verified hidden or malicious behavior.

Before installing, review the SKILL.md examples and avoid wiring raw MQTT payloads directly into an external LLM or letting model output publish to MQTT without validation. Use broker ACLs, topic allowlists, payload schemas, least-privilege credentials, and explicit approval for device-control topics.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The AI automation example sends sensor topic and payload data to Anthropic without any warning that operational or potentially sensitive telemetry is being transmitted off-system. In an IoT/home automation context, sensor data can reveal occupancy, routines, locations, and device state, so omitting an explicit privacy warning increases the chance of unsafe deployment.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal