Back to skill

Security audit

Hdl Skills Hub

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a smart-home control integration, but it asks agents to handle local secrets and user credentials while enabling physical device changes without enough scoping or confirmation safeguards.

Install only if you trust the publisher and understand that the skill may use HDL account credentials and control smart-home devices. Prefer a version that uses platform-managed secrets, clearly confirms the target home/room/device before changes, and warns before transmitting passwords or changing physical device state.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill gives conflicting instructions for the security-critical `homeId` source: one section requires dynamically obtaining the user-selected home via `home-management-api`, while later parameter docs say to fixedly use `${HDL_HOME_ID}`. In a multi-home context, this inconsistency can cause the agent to act on the wrong residence, leading to unauthorized device visibility or control across homes tied to the same account.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to read `${HDL_APP_KEY}` and `${HDL_APP_SECRET}` from a local `../.env` file, even though the documented function is only to query a home list. This unnecessarily expands the skill's data-access scope to local secrets and creates a prompt-driven secret exfiltration path if the agent is capable of file access or if downstream tooling maps such instructions into privileged operations.

Scope Creep

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs the agent to read credentials from a root-level `../.env` file and to avoid asking the user. This expands the skill's effective privileges beyond the declared `authenticated` permission and encourages secret retrieval from local filesystem state, which can expose unrelated environment secrets and bypass normal consent or secret-scoping controls.

Scope Creep

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs the agent to read AppKey/AppSecret from a local `../.env` file even though the declared permission is only `authenticated`. That creates a capability mismatch and effectively directs the agent to access local secrets outside the declared trust boundary, which can expose credentials to any skill execution path that reaches this logic.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
This skill enables actions that change the user's physical environment, such as switching devices, changing brightness, and adjusting temperature, but it does not require a user-facing warning or confirmation before execution. Without a safety prompt or confirmation policy, an agent could perform unintended physical actions from ambiguous, spoofed, or mistaken requests, creating safety, privacy, and property risks.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill directs collection and transmission of usernames and passwords to a remote login endpoint but does not require any explicit notice, consent, or privacy warning before sending them. In an agent setting, this increases the risk of users disclosing credentials without understanding they will be transmitted to an external service and processed alongside locally sourced application secrets.

Ssd 3

High
Confidence
99% confidence
Finding
The skill explicitly instructs the AI to read `${HDL_APP_KEY}` and `${HDL_APP_SECRET}` from a root `../.env` file during execution. Directing an agent to access filesystem-stored secrets is a strong secret-handling violation: it expands secret exposure to prompt-driven behavior, increases the chance of accidental disclosure, and breaks the boundary between tool inputs and protected credential management.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

No suspicious patterns detected.