Back to skill

Security audit

SwitchBot OpenAPI

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent SwitchBot integration, but it gives an agent broad smart-home control including locks, garage doors, scenes, passcodes, and private household media/data without strong built-in safeguards.

Install only if you are comfortable giving the agent broad control over your SwitchBot account. Keep the token and secret protected, review which locks, garage devices, scenes, cameras, and keypads are reachable, and require explicit confirmation before unlock/open, scene execution, passcode create/delete, photo/talk, diary access, or image upload actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The origin metadata declares the slug as 'switchbot-cloudapi' while the evaluated skill context is 'switchbot-openapi'. A mismatch in identity metadata can cause the wrong package to be tracked, updated, or trusted, undermining supply-chain integrity and making it harder to verify that the installed skill matches the reviewed manifest.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The examples expose keypad passcode creation and deletion operations, which materially expand the apparent capability of the skill into credential and physical access management. Because the manifest description emphasizes device control/query and does not clearly call out access-code administration, users and integrators may not appreciate that the skill can create door-entry credentials, increasing the risk of unauthorized access or misuse.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill enables high-impact physical and privacy-sensitive actions such as unlocking locks, creating keypad codes, controlling cameras/doorbells, and uploading images, but it provides no general confirmation or consent guidance before executing them. In an agent setting, this increases the risk of unauthorized or accidental real-world actions from ambiguous prompts or prompt-injection-style request chaining.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This reference documents lock/unlock and passcode-management capabilities for physical access devices without any warning, confirmation requirement, or mention of the security implications of unlocking doors or creating credentials. In an agent skill that can directly invoke these commands, omission of cautionary guidance increases the risk of unsafe automation, social-engineering abuse, or accidental execution of high-impact physical security actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The uploadImage command accepts either a URL or base64 image payload, but the reference does not warn that user-provided image data will be transmitted to a third-party cloud service and may contain sensitive personal content. In a skill context, that missing privacy notice can lead to unintentional exfiltration of private images or retrieval from attacker-controlled URLs.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The Diary API exposes event logs plus AI-generated diary and comic diary content, which may reveal occupancy patterns, routines, and other sensitive behavioral information. Documenting this endpoint without a privacy warning is risky because users or downstream agents may query intimate household telemetry without understanding the sensitivity of the returned data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The lock/unlock/deadbolt examples demonstrate safety-critical physical security actions without any warning, confirmation guidance, or discussion of access consequences. In an agent skill context, normalizing these commands without safeguards can lead to accidental unlocking or misuse that results in unauthorized physical entry.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The garage door opener example shows a direct actuation command with no warning about door movement, physical safety, or property access implications. In a home-automation skill, this can enable accidental opening or unsafe operation, potentially exposing the home or causing harm if the door moves unexpectedly.

Missing User Warnings

High
Confidence
95% confidence
Finding
The passcode creation and deletion examples show how to mint and revoke keypad credentials, including a hardcoded sample password, without any warning about credential sensitivity or physical access impact. In this skill’s context, these are highly sensitive operations because they directly control who can enter a protected space and could be abused for covert persistence or unauthorized entry.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.