ClawHub
Back to skill

Security audit

Realitykit Visionos Developer

Security checks across malware telemetry and agentic risk

Overview

This is a static RealityKit visionOS reference skill; it covers some privacy-sensitive app APIs, but it does not itself collect data, run code, or request elevated access.

This appears safe to install as a documentation/helper skill. When using it to build apps, add clear user-facing disclosure, consent handling where required, retention limits, and data minimization for body tracking, scene understanding, and synchronized shared-session state.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation encourages implementing body tracking but does not warn that it captures sensitive biometric and movement data. In a developer skill, this omission can lead downstream apps to collect or process body-pose data without clear user disclosure, consent language, or privacy-preserving handling, increasing privacy and compliance risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document encourages access to real-environment mesh and object data from scene understanding, but it does not mention any privacy implications, user consent expectations, or safe handling of sensor-derived spatial data. In a developer skill, this omission can normalize collecting or processing room layout and object data without prompting developers to disclose usage, minimize retention, or respect platform privacy requirements.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation encourages automatic cross-device/session replication of entity state but doesn't warn that synchronized transforms, components, anchors, and related scene state may expose user, environment, or collaboration data to other participants. In a visionOS/RealityKit developer skill, this omission is meaningful because readers may enable synchronization by default without evaluating privacy boundaries, data minimization, or participant trust.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal