Is dbeadle1/vector-control safe?

https://github.com/openclaw/skills/tree/main/skills/dbeadle1/vector-control

91
SAFE

This skill provides legitimate Vector robot control functionality through Wirepod's HTTP API with minimal security risks. The main concerns are the configurable base URL parameter and the inherent risks of physical robot control, but no malicious behavior was detected.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (3)

LOW Configurable Base URL Parameter -15

The --base parameter allows changing the target server from localhost to any URL, potentially redirecting robot commands to unintended endpoints.

LOW External Program Execution -10

The script executes ffmpeg via subprocess for audio conversion, which involves code execution but appears legitimate for the stated audio processing functionality.

MEDIUM Physical Robot Control Capabilities -20

The skill controls a physical Vector robot including movement, camera, microphone, and speech capabilities, which could potentially be misused for surveillance or unwanted physical actions, though this appears to be the intended functionality.