ClawHub

Sony Tv

Security checks across malware telemetry and agentic risk

Overview

This skill transparently controls a configured Sony Bravia TV on the local network, with normal cautions around the TV control key and accidental commands.

Install only if you want OpenClaw to control this TV. Keep SONY_TV_PSK private, avoid committing or sharing the generated .env file, use the skill only on a trusted local network, and consider requiring confirmation for disruptive actions such as power off, app switching, or long remote-button sequences.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill clearly relies on sensitive capabilities including environment variables, shell execution, local file/script access, and network communication to control a TV, yet it declares no explicit permissions. This creates a transparency and policy gap: users and hosting systems may not understand the skill can access secrets like the TV PSK and send commands over the local network, which increases the risk of unintended device control or abuse if invoked improperly.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The README instructs users to configure and use a TV pre-shared key but does not warn that it is a credential, should be kept secret, or should not be hardcoded, shared, or committed to repositories. In this skill context, the key grants control over a device on the local network, so exposure could let an attacker on the same network or with access to logs/configs control the TV, though the blast radius is limited to that device.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger phrases are broad and overlap with common speech such as 'play', 'pause', 'go back', 'select', and 'open YouTube', which can cause accidental invocation in normal conversation. In a device-control skill, unintended activation can immediately change power state, launch apps, or send remote-control inputs to a TV on the local network, making the overlap more risky than in a read-only skill.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script writes the TV pre-shared key directly into a plaintext .env file in the skill directory without warning the user or restricting file permissions. If the directory is shared, committed to source control, or readable by other local users/processes, the credential could be exposed and used to control the TV API on the local network.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal