ClawHub

insentek-openapi

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its IoT data-query purpose, but it has enough credential-routing and documentation-scope issues that users should review it before installing.

Install only if you trust the Insentek publisher and need this specific IoT integration. Configure credentials only through the CLI login flow, do not paste appid or secret into chat, avoid setting INSENTEK_API_BASE or --api-base unless you fully trust the target server, and treat the bundled write/forwarding API docs as sensitive operations requiring explicit human review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Tainted flow: 'req' from os.environ.get (line 78, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
req.data = json.dumps(data).encode("utf-8")

    try:
        with urllib.request.urlopen(req, timeout=30) as resp:
            return json.loads(resp.read().decode("utf-8"))
    except urllib.error.HTTPError as e:
        # 认证失败,尝试刷新 token 后重试一次
Confidence
88% confidence
Finding
with urllib.request.urlopen(req, timeout=30) as resp:

Tainted flow: 'req' from os.environ.get (line 78, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
# 7. API 可达性(不带认证,只检查服务是否在线)
    try:
        req = urllib.request.Request(f"{api_base}/v3/token", method="GET")
        with urllib.request.urlopen(req, timeout=10) as resp:
            # 400 是正常的(缺少参数),说明服务在线
            results["api_reachable"] = {
                "ok": True,
Confidence
84% confidence
Finding
with urllib.request.urlopen(req, timeout=10) as resp:

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The auth status command prints the full App ID, secret, and token directly to stdout, exposing sensitive credentials to anyone with terminal access and to shell history, logs, CI captures, screen recordings, or support transcripts. In the context of an IoT data skill, revealing reusable API credentials is more dangerous because they can enable unauthorized access to device telemetry and related backend resources, and showing them is not necessary for a status-check feature.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The login flow prints the App ID, App Secret, and token directly to stdout after authentication. Secrets displayed on the console can be captured in terminal scrollback, shell logging, CI logs, screen recordings, remote sessions, or shoulder-surfing, which can lead to credential theft and unauthorized API access. In this skill context, exposing secrets is especially unnecessary because the tool's purpose is querying device data, not revealing authentication material.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The API documentation exposes write-capable and external-transfer operations (`/v3/device/{sn}/attr` and `/v3/device/{sn}/transport`) even though the skill metadata describes a read/query/analysis use case. In an agent setting, this scope mismatch is dangerous because the agent may invoke state-changing or third-party forwarding actions that users did not expect when they granted access for analytics.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
The description of `/v3/device/{sn}/attr` says it is for obtaining recent pluviometer data, but the endpoint actually modifies device attributes and reporting intervals. Mislabeling a write endpoint as a read-style operation can mislead developers or agents into performing configuration changes when they believe they are only retrieving data.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The script exposes general local file-write capability controlled by an output path, which exceeds what is needed for querying device data. Although it blocks a few hardcoded system directories, it still permits writing attacker-influenced content to many other locations, creating risk of overwriting user files, planting deceptive HTML, or persisting unsafe artifacts if an agent or user can supply the path and content.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README includes an example where a user pastes `appid` and `secret` directly into a chat conversation, but it does not warn that these are sensitive credentials or instruct users to use a secure input/storage path. In an agent context, conversational inputs may be logged, retained, echoed back, or exposed to plugins/tools, which increases the likelihood of credential disclosure.

Missing User Warnings

High
Confidence
99% confidence
Finding
Printing the secret and token values without masking or warning creates a direct secret-disclosure path. These values may be captured by terminal logs, copied into bug reports, observed via shoulder surfing, or harvested from automated environments, leading to credential compromise and unauthorized API use.

Missing User Warnings

High
Confidence
99% confidence
Finding
The code explicitly prints the secret and token without any warning or redaction, creating immediate exposure of high-value credentials to any observer or logging system. Because these credentials likely grant access to IoT telemetry and possibly account-scoped operations, compromise could enable unauthorized data access, further API abuse, or persistence until the credentials are rotated.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The token example passes `secret` in the URL query string, which is commonly captured in logs, browser history, proxies, monitoring systems, and error traces. This increases the risk of credential leakage and unauthorized API access if developers follow the example literally.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation presents a device-modification endpoint without emphasizing that it changes live device configuration, including reporting frequency. In an agent or automation context, lack of a clear warning can lead to accidental operational changes, increased data costs, battery drain, or disruption of monitoring behavior.

Missing User Warnings

High
Confidence
95% confidence
Finding
The data-forwarding endpoint sends device data to an external system, yet the documentation does not clearly warn that invoking it causes outbound transmission beyond the platform. In a data-access skill focused on querying IoT telemetry, silent forwarding materially raises privacy, compliance, and unintended disclosure risks.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The `auth --status` output reveals the stored `appid` in full and also exposes metadata such as credential file path and token timestamps. While `appid` may not be a secret by itself, disclosing identifiers and credential-management metadata to agent output increases reconnaissance value and can aid follow-on attacks, especially in shared logs or chat transcripts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal