ClawHub

KNX Gateway Automation

Security checks across malware telemetry and agentic risk

Overview

This is a transparent KNX smart-home automation skill, but it can control locks, doors, windows, scenes, and workflows with limited safety and transport-security guidance.

Install only if you intend to let an agent manage a trusted KNX gateway. Keep KNX_TOKEN in a secret store, restrict the gateway to a trusted LAN or VPN, prefer HTTPS or isolated networking if the gateway only supports HTTP, and require explicit confirmation for unlock, garage/window movement, scene execution, workflow enable/execute, deletes, and any HTTP/MQTT/email/webhook destination.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The examples expose generic outbound integration primitives (`http_request` and earlier `mqtt_publish`) that go beyond the manifest's described KNX gateway workflow/scene-management scope. In an agent skill, documented examples materially shape model behavior, so this can expand the skill into data exfiltration, unsolicited network access, or command forwarding to arbitrary internal/external services without clear user intent or scope controls.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The documentation exposes outbound communication primitives spanning email, MQTT, and arbitrary HTTP requests, which materially broaden the skill from local KNX automation management into generic data egress and external integration. In a smart-home context, these nodes could be used to exfiltrate device state, trigger data, credentials, or occupancy-related information to external systems, making the scope expansion security-relevant rather than merely descriptive.

Context-Inappropriate Capability

Medium
Confidence
77% confidence
Finding
Email notification introduces an external communications channel that is not clearly necessary for KNX workflow CRUD, scene execution, or device control. Because the config includes SMTP host, username, and password fields, workflows can transmit smart-home event data externally and encourage handling of sensitive credentials inside automation definitions.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
The HTTP request node provides a generic outbound web request capability to arbitrary URLs, which is substantially broader than managing KNX gateway workflows and devices. This creates a powerful exfiltration and pivot mechanism: trigger data, variable contents, and possibly secrets can be sent to attacker-controlled endpoints, and workflows can be abused as a general network client.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
MQTT publish extends the skill beyond direct KNX gateway management into generic message publication, including to non-local brokers with credentials and optional TLS verification bypass. In a home-automation setting this can leak telemetry or enable unauthorized integrations, especially if users import untrusted workflows or use external brokers.

Missing User Warnings

High
Confidence
96% confidence
Finding
The API reference sets a default base URL of `http://ycznwl.local/api/v1` while requiring bearer-token authentication, but gives no warning that HTTP transmits tokens and commands without transport encryption. In a smart-home context, this can expose credentials and permit interception or modification of device-control, scene, and automation requests by any attacker with local network position.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation exposes direct device-control actions via REST, including commands that can affect physical systems, but it provides no safety guidance, confirmation requirements, or restrictions for potentially hazardous operations. In a smart-home/KNX context, such omissions can lead downstream agents or integrators to trigger unsafe physical effects without adequate user awareness or safeguards.

Missing User Warnings

High
Confidence
98% confidence
Finding
Documenting an `unlock` action without any warning or security guidance is dangerous because it normalizes remote door-unlock capability as a routine control operation. In an automation skill, this can enable unauthorized access, accidental unlocks, or insecure workflow generation if consumers do not implement strong authentication, explicit consent, and auditing around the action.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Open/close/stop actions for curtains, blinds, garage doors, and windows can cause real-world movement and create pinch, obstruction, property-damage, or exposure risks, yet the documentation presents them with no safety caveats. In a home-automation skill, omission of these warnings increases the chance that agents or developers will invoke movement commands without occupancy checks, obstacle detection, or user confirmation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal