Back to skill

Security audit

Csb Clawhub Rk5GQe

Security checks across malware telemetry and agentic risk

Overview

This skill is a simple remote cruise-search MCP connector with no local code or persistence, though users should know their cruise search requests go to an external service.

Before installing, be comfortable sending cruise-search requests and travel preferences to the listed remote service. Avoid entering sensitive personal, payment, or account information unless the provider's privacy and retention practices are acceptable to you.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill exposes a remote MCP endpoint but does not disclose that user prompts, tool inputs, or related metadata may be transmitted to an external third-party service. This creates a real privacy and trust risk because users may unknowingly send sensitive travel preferences or other data off-platform without informed consent.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.