JoyIn Robot Control

Security checks across malware telemetry and agentic risk

Overview

This skill is a real robot-control integration, but it grants broad physical, camera/audio, network, and credential-changing authority without strong safeguards.

Install only if you intentionally want OpenClaw to operate and administer a JoyIn robot. Treat the JoyIn key, WiFi password, stream URLs, ASR output, and LLM API keys as sensitive; supervise physical movement and live streaming; and avoid WiFi, LLM, or agent-binding commands unless you trust the configured API endpoint and understand the lasting changes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 88% confidence
Finding: The documented behavior exceeds and diverges from the declared description: it can reconfigure WiFi, retrieve ASR data, and register third-party LLM endpoints and API keys, while omitting some advertised features. This mismatch is dangerous because users may grant trust based on an incomplete description and unknowingly expose credentials, speech data, camera access, or device/network configuration changes.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The description does not disclose access to ASR results, meaning the skill can retrieve recent speech-recognition content without making that data access obvious to users. Even if intended for robot interaction, undisclosed access to speech-derived content creates privacy risk because spoken commands or nearby conversation may be exposed unexpectedly.

Description-Behavior Mismatch

Low

Confidence: 84% confidence
Finding: The description does not disclose access to ASR results, meaning the skill can retrieve recent speech-recognition content without making that data access obvious to users. Even if intended for robot interaction, undisclosed access to speech-derived content creates privacy risk because spoken commands or nearby conversation may be exposed unexpectedly.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill documents commands that start live video streaming and fetch stream URLs without any privacy or camera-activation warning. This is dangerous because operators may remotely enable surveillance or expose stream endpoints without realizing the privacy implications for people in the robot's environment.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The WiFi configuration command accepts SSID and password values without warning that it handles highly sensitive credentials and changes device network state. This can lead to password exposure in shell history, logs, transcripts, or accidental reconfiguration that disconnects the robot or moves it to an unsafe network.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The LLM registration example shows an API key supplied directly on the command line and sent to a third-party endpoint, but gives no warning about credential sensitivity or external transmission. Command-line secrets are often captured in shell history, process listings, agent transcripts, and logs, creating a high risk of credential leakage.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The CLI accepts raw WiFi SSID and password and sends them to a remote API with no explicit warning, confirmation, or disclosure beyond a brief help string. Base64 encoding is not protection, so users may unknowingly expose network credentials to logs, shell history, or an unexpected backend endpoint if the base URL is overridden.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This command transmits a custom LLM API key to a remote endpoint without any explicit warning, confirmation, or trust validation for the destination. Because the base URL is user-supplied and the skill facilitates registering arbitrary endpoints, a user could accidentally send a sensitive provider key to an untrusted or mistyped service.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: Updating an existing LLM configuration can transmit replacement API keys to a remote service without clear user disclosure. As with registration, using CLI flags for secrets and allowing arbitrary base URLs increases the risk of credential leakage to shell history, local observers, or unintended remote endpoints.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal