Holocube Emotes

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for a local holocube display, but it needs review because it can scan your local network, reuse a stored Gemini API key, and delete existing device images without a clear final confirmation in onboarding.

Install only if you are comfortable with a skill that can scan your local subnet, control and clear images on a GeekMagic holocube, and reuse a Gemini API key from OpenClaw config. Prefer passing a known --ip, back up device images before setup, use a dedicated Gemini key if possible, and avoid running onboarding against an untrusted or wrong device.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 97% confidence
Finding: The skill instructs the agent to use shell commands, access environment variables (`GEMINI_API_KEY`), write local files, and interact with devices over the network, but it does not declare these permissions. That creates a real security and governance gap: users and policy systems cannot accurately assess or constrain what the skill can do before execution, increasing the chance of unintended local-network scans, device modification, and file changes.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The documented behavior goes beyond a simple emote-display skill: it performs subnet discovery, uploads and deletes files on a device, backs up device contents locally, queries device details, and automates behavior by time of day. Even if these features are functionally related, the mismatch reduces informed consent and can hide invasive or destructive actions inside a seemingly cosmetic skill, especially in an agentic environment that may run commands with limited user review.

Context-Inappropriate Capability

Medium

Confidence: 72% confidence
Finding: The script reads a Gemini API key from the user's global OpenClaw configuration, expanding credential access beyond explicit per-run input. In a skill ecosystem where skills are potentially untrusted, silently pulling secrets from a shared config increases the blast radius if the script or downstream dependency is compromised.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The code actively scans the entire local /24 subnet by probing every host for /v.json using a thread pool. Even if intended to help users find a device, this is still local network reconnaissance functionality beyond simple emote control, and it can expose network inventory information or violate least-privilege expectations for an agent skill.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The skill includes a recon capability that enumerates local hosts and identifies devices by model/version, which is sensitive environmental information unrelated to the minimum function of setting an emote on a known holocube. In an agent context, adding network discovery increases the attack surface because an invoked skill can gather infrastructure data from the user's LAN without being essential to its core behavior.

Context-Inappropriate Capability

Medium

Confidence: 83% confidence
Finding: The onboarding script silently reads a Gemini API key from a local OpenClaw configuration file that may have been created for another skill or purpose. Accessing stored credentials outside the immediate onboarding flow expands the secret exposure surface and can surprise users who did not consent to this skill reusing previously stored API material.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script accesses a stored Gemini API key from local configuration without notifying the user, reducing transparency around secret use. In a skill ecosystem, undisclosed credential reuse is risky because users may assume a key is only used by the originating skill, while this code silently broadens access.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The upload routine automatically clears existing images on the device before uploading new content, but the user is not explicitly warned that prior images will be deleted. This is a destructive action against user data on a physical device, and accidental use could cause unintended loss of existing custom content.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal