ClawHub

Nest SDM

Security checks across malware telemetry and agentic risk

Overview

This Nest skill mostly matches its stated purpose, but it combines home camera/device access with broad Google Cloud changes, credential reuse, Telegram forwarding, persistent logging, and unsafe input handling that deserve careful review.

Install only if you trust the publisher and are comfortable granting an agent access to Nest devices, cameras, event metadata, and related Google Cloud Pub/Sub resources. Use dedicated least-privilege Google credentials instead of relying on gcloud fallback, avoid storing unrelated secrets in ~/.zshenv, enable Telegram forwarding only if you want home activity sent there, review any raw api command before running it, and periodically delete logs or remove Pub/Sub/IAM resources when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill exposes shell-based operational capability and sensitive device-control functionality, but the metadata does not declare permissions or clearly signal that command execution and local token/file handling are required. This weakens user understanding and reviewability, making it easier to deploy a skill that can access credentials, invoke external services, and affect physical devices without an explicit permission boundary.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared description focuses on controlling Nest devices, but the documented behavior extends into Pub/Sub provisioning, IAM modification, continuous event polling, Telegram forwarding, local event logging, and camera stream/image handling. This mismatch can mislead users and reviewers about the true operational scope, obscuring surveillance, persistence, and external data-sharing features that materially increase security and privacy risk.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill materially exceeds its stated purpose of controlling Nest devices by also administering Google Pub/Sub infrastructure and relaying device events to Telegram. That broader capability increases the trust boundary and risk surface because it can change cloud resources and exfiltrate occupancy/security-related events to a third-party messaging service.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script silently reads Telegram credentials from ~/.zshenv, which is local secret storage outside the advertised interface of the skill. Accessing user shell profiles for unrelated service credentials expands secret exposure and can surprise users who did not consent to this skill harvesting tokens from their environment files.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script can create Pub/Sub topics/subscriptions and modify IAM policy, which are cloud-administration actions beyond ordinary Nest device control. In the context of a device-control skill, this is dangerous because it can alter cloud permissions and persistence mechanisms using broad OAuth or gcloud credentials.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script exposes surveillance-sensitive capabilities beyond the declared description: it can start, extend, and stop camera live streams and retrieve event images. This is dangerous because users or downstream agents may grant or invoke the skill under the assumption it only performs generic device control, when it also enables access to camera data and images inside the home.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The raw `api` command allows arbitrary authenticated GET/POST requests to the SDM API, which substantially exceeds the narrow, user-described scope of simple Nest device control. In practice, this creates a powerful passthrough that can reach any permitted API operation with the stored credentials, undermining least privilege and informed consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Live camera streaming and event snapshot retrieval are privacy-sensitive capabilities because they can expose interiors, occupants, routines, and visitors. Documenting these features without an explicit warning, consent expectation, or retention/sharing guidance increases the chance of misuse or uninformed deployment in a home surveillance context.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill documents local event logging and Telegram alert forwarding without clearly warning that motion, person, doorbell, and thermostat events may be stored on disk and transmitted to a third-party messaging platform. In a smart-home context this can reveal occupancy patterns, identities, and household activity, making the omission materially dangerous from a privacy and surveillance perspective.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Reading Telegram credentials from ~/.zshenv without a clear warning or consent is a privacy/security issue because shell profiles often contain unrelated secrets. Users may not expect a Nest skill to inspect personal shell config and extract messaging credentials for external transmission.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script forwards Nest-derived alerts to Telegram without an explicit privacy warning, and those alerts reveal occupancy/security signals such as doorbell presses, motion, and person detection. Sending home-monitoring events to a third party increases exposure of sensitive behavioral data and may violate user expectations if not clearly disclosed.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Raw decoded Nest events are appended to local log files without clear disclosure, creating silent retention of potentially sensitive home-monitoring data. Those logs may include timestamps, device identifiers, and event metadata that can later be accessed by other local users or processes.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The event-image feature can cause camera snapshots to be written to a local file path without any warning, confirmation, or safeguards. Because these images may contain sensitive household or occupant data, silent persistence to disk increases the risk of unintended retention, later exposure, or access by other local users/processes.

External Transmission

Medium
Category
Data Exfiltration
Content
return 0
  fi

  curl -s -X POST "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/sendMessage" \
    -H "Content-Type: application/json" \
    -d "$(python3 -c "
import json, sys
Confidence
97% confidence
Finding
curl -s -X POST "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/sendMessage" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
set_policy=$(echo "$new_policy" | python3 -c "import sys,json; print(json.dumps(json.load(sys.stdin).get('policy', {})))" 2>/dev/null)

  local result
  result=$(curl -s -X POST \
    "https://pubsub.googleapis.com/v1/${topic_path}:setIamPolicy" \
    -H "Authorization: Bearer ${token}" \
    -H "Content-Type: application/json" \
Confidence
94% confidence
Finding
curl -s -X POST \ "https://pubsub.googleapis.com/v1/${topic_path}:setIamPolicy" \ -H "Authorization: Bearer ${token}" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
return 0
  fi

  curl -s -X POST "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/sendMessage" \
    -H "Content-Type: application/json" \
    -d "$(python3 -c "
import json, sys
Confidence
97% confidence
Finding
https://api.telegram.org/

Session Persistence

Medium
Category
Rogue Agent
Content
#   nest-events.sh listen              - Poll events continuously (daemon mode)
#   nest-events.sh poll                - Poll once, print events, exit
#   nest-events.sh setup-check         - Verify Pub/Sub config is ready
#   nest-events.sh create-topic        - Create Pub/Sub topic (requires cloud-platform scope)
#   nest-events.sh create-subscription - Create pull subscription
#   nest-events.sh grant-permissions   - Grant SDM publisher role to topic
#
Confidence
88% confidence
Finding
Create Pub/Sub topic (requires cloud-platform scope) # nest-events.sh create-subscription - Create pull subscription # nest-events.sh grant-permissions - Grant SDM publisher role to topic # # En

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal