ClawHub

S2-BAS-Causal-OS (S2 楼宇自控因果操作系统)

Security checks across malware telemetry and agentic risk

Overview

This HVAC/building-control skill is not clearly malicious, but it needs review because it describes overriding room settings and shutting down equipment without fully defined safety controls.

Install only for simulation or carefully controlled BAS testing unless you have an external BMS or owner-token system that enforces approvals. Do not connect it to live HVAC actuation until shutdowns, setpoint overrides, fan locks, audit logs, manual overrides, and safety limits are explicitly implemented and tested.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Tp4

High
Category
MCP Tool Poisoning
Confidence
82% confidence
Finding
The skill presents itself primarily as a thermodynamic/BAS advisory engine, but the finding indicates it also embeds authorization logic, permission gating, and identifiers resembling owner IDs or BMS keys. Mixing hidden access-control behavior and embedded credentials into a skill with a different stated purpose is dangerous because it can conceal privileged decision paths, enable unauthorized control attempts, and mislead reviewers about the true trust boundary of the tool.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The use case explicitly authorizes the agent to override guest HVAC settings, lock fan speed, and forcibly cut FCU water/power. That exceeds passive thermodynamic modeling and prediction, turning an analytics skill into an actuator-control authority without clear operator approval, policy limits, or safety governance. In a BAS environment, undocumented autonomous shutdown behavior can disrupt occupant comfort, damage trust, and create operational or safety issues if triggered incorrectly.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The documentation frames bypassing occupant intent as an intended capability, including direct enforcement against hotel guests. In building automation, this is dangerous because it normalizes unilateral agent control over occupied spaces without clear consent, escalation criteria, or accountability, increasing the risk of abuse, misconfiguration, and harmful false positives. The hotel-room context makes this more sensitive because actions directly affect paying occupants in a private environment.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill describes automatic override and shutdown actions but does not present an explicit warning, operator-facing disclosure, or safety notice commensurate with those interventions. This increases the chance that deployers enable the skill assuming it only performs mapping/calibration/prediction, when it may instead alter live building controls. In BAS systems, hidden or under-disclosed automation is risky because it can produce unexpected service interruptions and complicate incident response.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
## 5. Cyber-Physical Security: S2 Dual-Track Authorization
**(CRITICAL SECURITY DECLARATION)** An AI Agent generating L0-L4 decisions does NOT possess implicit physical execution rights. All hardware modifications must pass the **Dual-Track Auth Gateway**:
* **Commercial/Public Spaces**: Agents can only autonomously execute L0/L1 advisory actions. For L2/L3 hardware interventions, the Agent is strictly forbidden from directly cutting power. It must submit the decision as a "crisis proposal" to the central Building Management System (BMS). Physical execution is blocked unless a cryptographically signed `Dispatch_Token` is returned by the BMS.
* **Residential Spaces**: The Agent must attach an `Owner_Token` generated by the Homeowner's registered digital identity to execute L2/L3 interventions.
This Zero-Trust architecture entirely neutralizes prompt-injection vulnerabilities, preventing rogue AI agents from arbitrarily shutting down critical building infrastructure.
Confidence
86% confidence
Finding
autonomously execute

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal