Back to skill

Security audit

Gaggiuino Local

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local Gaggiuino espresso-machine helper with real device-control and file-output risks that are mostly scoped and user-directed.

Install only if you want an agent to interact with your own trusted Gaggiuino machine. Review profile switches and settings updates before sending them, keep the saved base URL pointed at a trusted local device, and be careful with custom output paths because render commands may overwrite files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
with open(concat_list, 'w') as f:
            for p in seg_paths: f.write(f"file '{p}'\n")

        subprocess.run(
            ['ffmpeg', '-y', '-f', 'concat', '-safe', '0', '-i', concat_list,
             '-c', 'copy', '-movflags', '+faststart', out_path],
            check=True, stdout=subprocess.DEVNULL, stderr=subprocess.PIPE,
Confidence
83% confidence
Finding
subprocess.run( ['ffmpeg', '-y', '-f', 'concat', '-safe', '0', '-i', concat_list, '-c', 'copy', '-movflags', '+faststart', out_path], check=True, stdout=su

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill provides a workflow for changing live machine settings but does not include a clear user-facing safety warning that these writes modify real device configuration and may affect operation. In a machine-control context, missing warnings increase the chance of unintended or insufficiently informed changes to temperature, pressure, or other operational parameters.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.