ClawHub
Back to skill

Security audit

xiaodu-iot

Security checks across malware telemetry and agentic risk

Overview

This smart-home skill appears purpose-built, but it gives an agent real device-control and privacy-sensitive powers with weak guardrails around confirmation, secrets, logs, and persistent memory edits.

Install only if you trust the Xiaodu/DuerOS integration and are comfortable with an agent controlling smart-home devices. Store tokens and device IDs as secrets, avoid sharing terminal logs or screenshots, review the unpinned npx package before use, require explicit confirmation for broadcasts/scenes/device actions/photo capture, and disable or modify the MEMORY.md update behavior before running update_devices.sh.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script's stated purpose is updating device lists, but it also rewrites a shared MEMORY.md file. Modifying a general memory/context file expands scope and can corrupt unrelated agent state, causing integrity issues or misleading future agent behavior if the script is run automatically.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The publishing guidance tells users to obtain an Access Token and extract device identifiers (CUID and Client ID) and to substitute them into the skill, but it does not clearly warn that these values are sensitive secrets tied to a user account and device fleet. In the context of a smart-home control skill, accidental disclosure of these values could enable unauthorized device enumeration, voice actions, or IoT control, making the omission security-relevant rather than merely documentation-related.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This skill enables direct control of smart speakers, IoT devices, scenes, and voice broadcasts, yet it provides no explicit warning or confirmation guidance about effects in the physical world or shared spaces. That omission increases the risk of unintended actions such as toggling appliances, moving curtains, or broadcasting messages to other people without informed user consent.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The documentation provides ready-to-run commands for device control and scene triggering without an explicit warning that these actions immediately affect real physical devices and home-state settings. In an agent skill context, this increases the chance of unintended actuation of lights, curtains, or scenes, which can impact safety, privacy, and user trust.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation exposes a device capability to trigger photo capture on camera-equipped devices but does not warn about consent, notification, or privacy boundaries. In a home/IoT control skill, undocumented remote camera activation increases the risk of covert surveillance or user surprise, especially if an agent can invoke the tool without explicit per-action confirmation.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script echoes the device CUID, client ID, and message text to stdout immediately before invoking an external control command. In CI logs, shared terminals, shell capture tooling, or support transcripts, this can expose identifiers and potentially sensitive spoken content without user awareness that the data is being transmitted to an external device/service.

Ssd 3

Medium
Confidence
95% confidence
Finding
The script prints sensitive operational data, including full spoken content and device identifiers, to stdout. Those values can be captured in terminal scrollback, shell logs, CI/CD logs, monitoring pipelines, or remote session recordings, causing unintended disclosure of private messages or device metadata.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal