ClawHub

Pilot Smart Home Coordinator Setup

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed setup guide for a smart-home coordinator, with privacy-sensitive external reporting that users should configure carefully.

Install only if you intend to run a multi-agent smart-home setup. Review the downstream pilot-* bridge skills before enabling Slack, email, or webhook reporting, and avoid sending occupancy, lock state, or detailed room activity outside your home network unless you trust the destination and have configured redaction or aggregation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README explicitly states that the dashboard sends daily summaries to the homeowner via Slack or email, but it provides no warning about the privacy sensitivity of home telemetry such as occupancy, room status, energy usage, and device state. In a smart-home context, these summaries can reveal behavioral patterns, presence/absence, and security-relevant information, so transmitting them through third-party channels without data-minimization or privacy guidance creates a real data exposure risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly configures a dashboard role to send daily summaries to external services via webhook/Slack/email, but it does not require any user confirmation, data classification, or warning that home telemetry may leave the local smart-home environment. In a smart-home context, exported status data can reveal occupancy patterns, device state, and other sensitive household information, so silent exfiltration to third parties is a meaningful privacy and security risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal