Back to skill

Security audit

Holocube Emotes

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-built for a holocube display, but it needs review because it can scan the local network, reuse a stored Gemini key, and clear or replace images on the device with limited confirmation.

Install only if you are comfortable letting this skill probe your local network for holocube devices, use a Gemini API key for image generation, and change or clear images on the selected device. Prefer passing a known --ip, back up existing device images before setup, and use a dedicated Gemini key if possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs the agent to use shell commands, write files, access environment-backed credentials, and interact with networked devices, but it does not declare permissions or clearly constrain those capabilities. That mismatch increases the risk of unexpected command execution, unintended file modification, and exposure or misuse of local-network resources when the skill is invoked.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script includes active subnet-wide discovery by scanning every host in the local /24 and probing /v.json, which is a form of local network reconnaissance beyond the core need of setting an emote on a known device IP. Even if intended as a convenience feature, this expands the skill's network reach and can reveal nearby devices or trigger security monitoring in environments where unsolicited scanning is not expected.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The local network reconnaissance capability is real: the code derives the local subnet and concurrently probes 254 addresses to identify devices. In the context of an emote controller, that behavior is only weakly justified and increases risk because a seemingly simple peripheral-control skill gains the ability to enumerate the user's LAN.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The onboarding script automatically reads a Gemini API key from environment variables and from a separate OpenClaw configuration file, even though onboarding could instead request explicit user consent. Accessing unrelated local credential sources expands trust boundaries and can surprise users by silently consuming secrets from outside this skill's own setup flow.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script silently pulls API credentials from the environment or a local config file without notifying the user during execution. This weakens informed consent and makes secret usage less transparent, which is especially risky in an onboarding script that users may run interactively with high trust.

Missing User Warnings

Low
Confidence
90% confidence
Finding
If no IP is provided, the script automatically invokes network discovery and begins probing the local network without obtaining explicit confirmation first. Even though this is intended to find the holocube device, unsolicited scanning can violate user expectations, trigger security monitoring, or probe networks where the user lacks authorization.

Env Variable Harvesting

High
Category
Data Exfiltration
Content
prompt = f"{character_desc} The robot looks friendly and slightly mischievous. Square composition."

    print(f"Generating base character...")
    env = os.environ.copy()
    env["GEMINI_API_KEY"] = api_key

    result = subprocess.run(
Confidence
82% confidence
Finding
os.environ.copy()

Env Variable Harvesting

High
Category
Data Exfiltration
Content
out_path = output_dir / f"{emote}.png"
    prompt = f"Make this robot head {desc} Keep the same wireframe holographic style on pure black background. Same character."

    env = os.environ.copy()
    env["GEMINI_API_KEY"] = api_key

    result = subprocess.run(
Confidence
82% confidence
Finding
os.environ.copy()

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.