@Ukeyboard/homebox-skill

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a legitimate HomeBox inventory helper, but it exposes sensitive and destructive HomeBox API capabilities beyond its normal inventory-management workflow.

Install only if you trust the publisher and intend to give an agent access to your HomeBox instance. Use a limited-scope token if HomeBox supports it, avoid printing or storing bearer tokens in shared logs, do not disable TLS verification except on a trusted local network, and require explicit confirmation before any delete, bulk, account, group, notifier, export, or admin action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (12)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The reference file exposes authentication and account-management endpoints such as login, registration, password change, token refresh, and account deletion even though the skill manifest describes a narrower inventory-management use case. This unnecessary capability expansion increases the chance an agent could invoke sensitive identity operations outside user expectations, especially in a self-hosted environment where account compromise has broader consequences.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The API summary includes group administration and invitation creation endpoints that are not disclosed in the manifest’s stated item/location/tag workflows. These operations can change tenancy boundaries or invite additional users, so exposing them to an agent without clear purpose or disclosure creates unjustified administrative risk.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: Notifier and webhook management endpoints are unrelated to the manifest’s stated inventory tasks yet allow creation, update, deletion, and testing of outbound integrations. This materially broadens the skill from inventory management into network-capable configuration management, enabling abuse such as data exfiltration channels or interaction with attacker-controlled endpoints.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The notifier test endpoint accepts an arbitrary URL query parameter, enabling the system to initiate requests to attacker-chosen destinations. In an agent context, this is dangerous because it can be used for SSRF-style probing, triggering internal network access, or validating and exploiting outbound connectivity that has nothing to do with home inventory tasks.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: Bulk and system action endpoints such as thumbnail creation, asset-ID changes, import-ref changes, primary-photo changes, and zeroing time fields exceed normal end-user lookup and item-management workflows described in the manifest. These operations can mutate many records at once and can cause irreversible data corruption or integrity loss if triggered accidentally or via prompt manipulation.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The skill accepts raw username/password input and performs authentication, even though the stated purpose is inventory interaction rather than credential handling. This expands the trust boundary significantly and creates risk of credential capture, logging, mishandling, or unintended disclosure in agent/tooling contexts where command arguments and stdout may be recorded.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: Creating entity types is an administrative capability broader than the declared inventory use cases of finding, adding, updating, and organizing items, tags, and locations. In an agent context, exposing unnecessary admin operations violates least privilege and could let a prompt or user perform unintended schema-changing actions on the HomeBox instance.

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The invocation guidance says to invoke when the user mentions HomeBox, home inventory, or asks about item locations, which is broad enough to trigger the skill in contexts where the user did not intend networked inventory access. Over-broad activation can leak sensitive household inventory data or cause writes in response to ambiguous requests.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The reference documents highly destructive admin actions such as inventory wipe and bulk mutation operations without any warning, confirmation guidance, or indication of irreversible effects. In an agent skill context, this increases the chance that an LLM-driven tool may expose or invoke dangerous operations without requiring explicit user acknowledgment, leading to accidental mass data loss.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The reference exposes destructive or bulk-mutating endpoints without any embedded trigger constraints, usage warnings, or negative examples that would help downstream agent logic avoid unsafe invocation. In agent-integrated systems, lack of such guardrails makes accidental execution of high-impact operations more likely during ambiguous or adversarial prompts.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: Destructive operations like item deletion, and elsewhere account deletion, are listed in a plain reference file without user-facing warnings or confirmation expectations. In an agent setting, that omission increases the risk that deletion-capable actions are treated as routine operations and invoked without sufficiently informed consent.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The login command prints the bearer token directly to stdout, which is dangerous because agent transcripts, terminal history, logs, and tool output may be persisted or shown to other components. Anyone with access to that output can reuse the token to act against the HomeBox API with the authenticated user's privileges.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal