ClawHub

小爱音箱语音播报

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims, but it asks users to handle full Xiaomi account credentials in risky persistent ways.

Review before installing. Use this only if you are comfortable giving the skill your Xiaomi account password and letting it contact Xiaomi cloud services to list devices and trigger speaker announcements. Do not store MI_PASS in ~/.zshrc or directly in cron commands; prefer an OS secret store, a tightly permissioned credentials file, or interactive entry, and avoid disabling two-factor protection unless you fully accept the account risk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill requires sensitive capabilities—environment variables for credentials, network access to Xiaomi cloud APIs, and shell commands such as git clone—but does not declare them. This creates a transparency and review gap: users may authorize or install the skill without understanding that it handles credentials and performs remote network/shell operations.

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
The description frames the skill as simple voice broadcasting, but the documented behavior includes logging into a Xiaomi account, enumerating bound devices, and selecting devices via account-linked metadata. This mismatch is security-relevant because it hides the degree of account access and data exposure involved, reducing informed consent around credential use and device inventory retrieval.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly tells users to persist Xiaomi account credentials in shell startup files like ~/.zshrc, which stores secrets in plaintext and increases the chance of accidental disclosure through backups, dotfile syncing, screen sharing, local compromise, or other users on the system. The risk is amplified because these are account credentials, not a scoped API token, so compromise may enable broader access to the user's Xiaomi account and devices.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation tells users to append Xiaomi account credentials directly into ~/.zshrc, which stores long-lived plaintext secrets on disk and may expose them through backups, dotfile sync, local compromise, shoulder surfing, or accidental sharing. Recommending permanent shell startup storage without warnings or safer alternatives materially increases credential theft risk.

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
# 编辑 crontab
crontab -e

# 每小时提醒喝水
0 * * * * export MI_USER="xxx" MI_PASS="xxx" && /usr/bin/python3 /path/to/xiaoai-speaker/xiaoai_cli.py say "该喝水了"
Confidence
86% confidence
Finding
crontab -e

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal