Security audit

S2 Light Perception

Security checks across malware telemetry and agentic risk

Overview

The skill openly describes and implements local smart-light discovery and read-only light-state checks, with no evidence of hidden exfiltration, persistence, or destructive behavior.

Install only if you want an agent to actively scan your trusted local network for Hue/Wiz smart lights and read their state. Confirm before running discovery, avoid shared or unauthorized networks, and provide target device IPs intentionally for read operations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The invocation instructions direct the agent to perform a real network scan and subsequent device reads without defining strict trigger conditions, exclusions, or confirmation requirements. In an agent setting, broad operational instructions like these can cause unintended autonomous LAN enumeration and device interaction, especially if invoked from ambiguous user prompts or chained workflows.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill description emphasizes that it is a '100% real network-active radar' performing UDP broadcast, SSDP multicast, and local API calls, but it does not present a clear user-facing warning about active LAN scanning and device probing risks. Without an upfront warning, users may unknowingly trigger behavior that can expose local network topology, enumerate smart devices, or interact with hardware on a private network.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal