ClawHub

Feyagate

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This smart-home gateway is not clearly malicious, but it exposes broad unauthenticated controls over devices, credentials, memory, and skill management, so it needs careful Review before installation.

Install only if you trust the publisher and can isolate the gateway on a trusted local network. Do not expose it beyond localhost or a private LAN, review the installer before running it, avoid pipe-to-shell installation, use least-privilege smart-home accounts, and treat memory, skill-management, proxy, OTA, camera, speaker, and physical-device actions as privileged operations requiring explicit user approval.

SkillSpector (38)

By NVIDIA

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill instructs the agent to run shell commands (`pip install`, `feyagate start`, script execution), access local configuration/token files, and connect to local and remote network endpoints, but it declares no permissions to constrain or inform those capabilities. That mismatch is dangerous because an agent may autonomously perform installation, service startup, file access, and network actions without explicit trust gating, increasing the chance of unauthorized local changes or exposure of smart-home credentials and devices.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The documented API exposes generic memory and skill-management capabilities that go well beyond a smart-home gateway's stated purpose. In the same document, all endpoints are declared unauthenticated, so these features become remotely writable administrative surfaces that could be abused to implant prompts/skills, alter agent behavior, or exfiltrate sensitive user data stored as 'memory'.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The API includes broad system-administration operations such as restart, reprovisioning, and license management, which exceed basic device-control and directly affect availability and ownership state. Because the document states that all endpoints require no authentication, any party on the local network could disrupt service or reconfigure the gateway.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Unauthenticated memory storage and search are unjustified for the smart-home gateway role and create a direct confidentiality and integrity risk. An attacker on the LAN could read personal notes/preferences, insert malicious memory entries to steer agent behavior, or poison stored context used for future automation decisions.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Skill management, import/export, and content editing on an unauthenticated gateway create a code/prompt injection primitive directly inside an agent-facing platform. An attacker could add or modify skills to change agent behavior, trigger unsafe tool use, persist malicious instructions, or export proprietary/custom skill content.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
MCP proxy management introduces generic external service proxying that is broader than a smart-home gateway's declared role and can relay data to third parties. In an unauthenticated environment, attackers could add malicious proxy endpoints, replace API keys, or redirect agent/tool traffic to attacker-controlled services for exfiltration or command manipulation.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The document explicitly states that all API endpoints require no authentication while exposing highly sensitive operations including credential storage, platform connections, device control, reboot, reprovisioning, memory access, and skill management. For a smart-home gateway, this means anyone on the local network—and potentially a website via the documented permissive CORS—could take control of devices, steal tokens, alter automations, and disrupt the gateway.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The documented gateway exposes a persistent memory subsystem that is unrelated to core smart-home transport/control and can store arbitrary long-term notes on disk. In an agent-facing MCP server, this expands the trust boundary from device control into durable data retention, creating privacy risk, prompt/data poisoning opportunities, and unexpected persistence of sensitive user information.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The API includes skill management that can read, add, update, and delete skill instruction files under /spiffs, which is effectively code/instruction management far beyond normal IoT device control. For an agent-connected gateway, this enables persistence and self-modification of future agent behavior, creating a strong avenue for prompt injection persistence, unauthorized capability expansion, and backdoor-like instruction planting.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Because the skill's stated purpose is a smart-home gateway, exposing arbitrary skill-file management is unjustified and materially broadens what an attached agent can change. That mismatch is dangerous in context: users and orchestrators may grant trust appropriate for device control, while the server also permits persistent instruction manipulation that can alter future behavior or conceal malicious changes.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script allows callers to override the MCP host and port, then forwards the OAuth authorization code to whatever endpoint is specified over plain HTTP. That means a user can be tricked into running the helper with attacker-controlled parameters, causing a one-time OAuth code for a smart-home account to be exfiltrated to an arbitrary service.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The tool tells users the callback must include both code and state, but the implementation extracts only the code and submits it without validating state. In OAuth flows, state is a CSRF and response-integrity check; ignoring it can allow authorization responses from the wrong session or attacker-initiated flows to be accepted.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script builds a command string and executes it with Invoke-Expression when using the '$pyCmd -m pip' path. Although the current inputs are mostly derived from local interpreter discovery, using string evaluation in an installer that also pulls and installs network packages creates an avoidable command-injection surface and makes behavior harder to audit safely. The risk is amplified because the script is designed to be piped directly into iex and then installs code from the network.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The setup script is branded as FeyaGate but discovers and installs archives named 'miloco-mcp-server' and later directs users to download binaries from an external Gitee release page. That mismatch is a supply-chain integrity risk because users may install an unexpected third-party component without any signature, checksum, or provenance verification, enabling trojaned binaries to be introduced through the normal setup flow.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script downloads a remote package and installs it into the application directory, giving the remote update channel code execution power over the host. In the context of a smart-home gateway, this is especially dangerous because compromise of the OTA endpoint, metadata, or transport path can lead to takeover of software that controls local IoT devices and services.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The sub-skill description advertises a generic skill-management capability inside a smart-home automation skill, expanding the effective trust boundary beyond IoT control into modifying agent capabilities. In an agentic environment, the ability to add, update, or delete skills can be abused for persistence, privilege expansion, or replacement of trusted behavior, especially if exposed through normal automation workflows.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
The documented skill administration tools (`skill/list`, `skill/read`, `skill/manage`) are context-inappropriate for a smart-home gateway and introduce control over the agent's own capability set. If reachable by an agent or untrusted workflow, this enables tampering with available skills, data exfiltration through skill content reads, or installation/update of malicious functionality.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The documentation instructs clients to submit platform credentials and use long-lived authorization tokens without any warning about secret handling, storage, rotation, or transport protection. In an AI-agent setting, this increases the chance that passwords or tokens are logged, persisted to memory, echoed in chat, or sent over insecure channels, leading to account compromise across integrated IoT platforms.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The API exposes many state-changing operations affecting physical devices, rooms, schedules, persistent memory, and skills, but the documentation provides no safety warnings, confirmation requirements, or privilege model. In agent-driven environments this is risky because an LLM may invoke destructive or privacy-impacting actions without the user understanding that durable data or real-world device state will be modified.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The quick-start explicitly encourages one-line installation via remote scripts piped directly into a shell (`curl ... | bash` and PowerShell `iex`) without any integrity verification, pinning, or safety warning. This is dangerous because users or AI agents may execute unreviewed remote code that can change over time, leading to arbitrary code execution on the host.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
These examples perform real state-changing actions against smart-home devices, including setting properties, executing actions, triggering scenes, and issuing speaker commands, but they do not warn that they can affect physical devices or household conditions. In an AI-agent context, lack of such warnings increases the risk of unsafe automation, unintended actuation, nuisance behavior, or physical-world consequences.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README explicitly instructs users to execute remote installation scripts directly from the network via shell and PowerShell without any integrity verification, review step, pinning, or safety warning. This creates a real supply-chain execution risk: if the GitHub account, repository, branch, or network path is compromised, users will immediately run attacker-controlled code on their machines.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The README advertises control of smart-home devices, camera snapshots/streaming, speaker control, and persistent memory features, but provides no prominent warning about privacy, surveillance, credential handling, or unintended physical-world actions. In this context, omission of user-facing safety guidance is materially risky because the tool affects cameras, household devices, and long-term data retention.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The automation sub-skill uses broad trigger words like `schedule`, `timer`, `trigger`, `room`, `memory`, and `note`, which commonly appear in ordinary conversations unrelated to home automation. This can cause unintended loading of a module that can create automations or persistent state, leading an agent to invoke smart-home actions or store data when the user did not intend to operate the gateway.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The extension module is triggered by generic technical terms like `serial`, `UART`, `GPIO`, `config`, `license`, and `stats`, which overlap heavily with normal troubleshooting and programming discussions. Because this module appears to expose hardware and configuration-related functionality, accidental invocation could lead to configuration changes, hardware interaction, or disclosure of system details in contexts where the user was only asking general technical questions.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal