ClawHub

Device Assistant

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent personal device manager; its main privacy consideration is that saved device details stay in workspace memory and troubleshooting links may reveal model/error details if opened.

Install only if you are comfortable storing device inventory details in workspace memory. Avoid saving unnecessary sensitive fields such as full serial numbers, and review generated search/manual/support links before opening them because they may disclose model numbers, error codes, or problem descriptions to external services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger set includes broad natural-language phrases such as device problems, appliance issues, and error-message wording that could match ordinary conversation unintentionally. Accidental invocation can cause the skill to process sensitive device details or start network-backed lookups without clear user intent, especially in an assistant environment with multiple installed skills.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill states that it uses web search and internet access for error-code lookup, but it does not clearly warn users that device model information, error codes, manual URLs, or troubleshooting queries may be transmitted to external services. Because the skill manages potentially sensitive household inventory and warranty data, this omission can lead to privacy violations and uninformed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal