ClawHub

XLink IoT Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is an IoT integration that can send live device-control commands, and those high-impact actions are not clearly scoped or gated by confirmation.

Review carefully before installing, especially in production IoT environments. Use least-privilege or read-only XLink credentials where possible, restrict use to approved devices and services, and require an external human approval process before running device-control commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The skill description frames the tool as a query/monitoring agent, but the documented behavior includes state-changing device control and additional sensitive data access paths. That mismatch can cause users or orchestration systems to invoke the skill with read-only expectations while unintentionally granting or triggering write actions against physical devices.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The authentication reference includes a `control_device` example even though the skill is described as query/monitoring-only. In an agent skill context, documenting an out-of-scope control capability can enable unintended actuator operations if downstream tooling or users assume the example is supported and safe to invoke.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill is described as query/monitoring-oriented, but this document exposes a write-capable device control endpoint that can invoke services on devices and set attributes. That mismatch expands the effective privilege of the skill beyond user expectations and creates a real risk of unauthorized or unsafe physical device actions if the agent surfaces or uses this API.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
A command invocation API that can call arbitrary product-defined services, including attribute-setting operations, is highly sensitive and unjustified in a monitoring-only skill. In an IoT context, misuse could change device state, disrupt operations, disable protections, or trigger unsafe behavior in real-world equipment.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The reference documentation exposes a live `device-control` capability that goes beyond the stated monitoring/query-focused scope of the skill. In an agent context, this scope mismatch is dangerous because it can cause users or downstream orchestration to invoke physical device actions unexpectedly, potentially changing real-world device state without informed consent.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill metadata says it is for querying devices and monitoring events, but this code also exposes a live write/control primitive via control_device(). That is dangerous because downstream agents or users may grant it broader trust than intended and accidentally send real commands to production IoT devices, changing state or causing safety/availability impacts.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The CLI surfaces a device-control command even though the skill description frames the tool as read-only monitoring/query functionality. This mismatch increases the chance that an orchestrating agent or human operator invokes destructive functionality under a false assumption of safety, especially in production IoT environments.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill documents a device-control command that can alter physical device state, but it does not warn users that execution may change real-world behavior. In an IoT context, undisclosed write operations can affect safety, availability, or operations by switching devices, modifying settings, or queueing commands for later delivery.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation presents a device-control API without warning that commands may have destructive, service-impacting, or safety-relevant effects. Missing cautions increase the chance that operators or agents treat control as routine data retrieval and issue commands without understanding operational consequences.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The device control examples show how to send operational commands to physical IoT devices but do not warn that these are live, state-changing actions. In a skill used by agents, missing safety messaging increases the risk of accidental or overly broad command execution against production devices.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The documentation exposes a device control/command invocation endpoint but does not warn that it performs real-world state-changing actions on IoT devices. In an agent skill context, missing safety guidance can cause the agent or user to invoke commands without confirmation, authorization checks, or operational safeguards, increasing the risk of unintended device manipulation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The device control path sends live service invocations immediately after parsing JSON input, with no warning, dry-run, or confirmation step. In an IoT context this can cause accidental actuation, unsafe device behavior, or outages from a mistaken command or malformed automation prompt.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal