iot-developer
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- DATA_EXFILTRATION (HIGH): The skill directs users to use 'broker.hivemq.com', which is a public, unauthenticated MQTT broker. Any data published to topics like 'home/temperature' or 'home/humidity' is visible to anyone on the internet, violating data privacy for smart home or industrial contexts.
- COMMAND_EXECUTION (HIGH): The open nature of the public broker allows any third party to publish messages to control topics (e.g., 'home/light/1'). This enables unauthorized actors to trigger physical side effects on devices managed by the skill, such as toggling lights or adjusting thermostats.
- EXTERNAL_DOWNLOADS (LOW): The skill requires the installation of the 'mqtt' Node.js package without specifying a version, which is a sub-optimal security practice for supply chain integrity.
- Malicious URL Detection (MEDIUM): Automated scanners flagged the HiveMQ broker URLs as malicious/blacklisted, which aligns with their use in insecure or unauthenticated IoT implementations.
Recommendations
- AI detected serious security threats
- Contains 2 malicious URL(s) - DO NOT USE
Audit Metadata