ClawHub

air-train-ev

Security checks across malware telemetry and agentic risk

Overview

The skill performs its stated travel lookups, but its configurable API host settings can send live API credentials to non-default endpoints.

Review before installing if you will provide real API keys. Keep the HOST environment variables unset unless you intentionally trust the alternate endpoint, use low-privilege or test credentials where possible, and expect route, date, place, and coordinate queries to be sent to the relevant third-party travel APIs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Tainted flow: 'req' from os.environ.get (line 41, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
req.add_header("Authorization", f"Basic {auth}")

    try:
        with urllib.request.urlopen(req, timeout=30) as resp:
            raw = resp.read().decode("utf-8")
    except urllib.error.HTTPError as e:
        txt = e.read().decode("utf-8", errors="replace")
Confidence
95% confidence
Finding
with urllib.request.urlopen(req, timeout=30) as resp:

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill description authorizes use for three different domains—flight pricing, train/public transport planning, and EV charging lookup—based on broad natural-language triggers without clear boundaries, confirmation requirements, or priority rules. Overly broad invocation criteria can cause the agent to select this skill in unintended contexts, leading to unnecessary external API calls, disclosure of user travel/location data to third parties, or incorrect tool use when the user intent is ambiguous.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal