Back to skill

Security audit

Morning Wake-Up

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: fetch weather and start a matching Sonos favorite, with the main risks disclosed.

Install only if you intend to let OpenClaw control your Sonos speaker. Verify the speaker name, volume, presets, and local `sonos` command before use, and add the cron schedule only if you want playback to start automatically every day. Use city-level location rather than precise coordinates if location privacy matters.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases include broad, common expressions such as "wake me up" and "morning routine," which can match normal conversation and cause unintended invocation. In this skill's context, accidental activation is more concerning because the resulting action can control local Sonos speakers, change volume, and start playback automatically on a schedule or command.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.