ClawHub

IDFM Journey (PRIM/Navitia)

Security checks across malware telemetry and agentic risk

Overview

The skill does match its transit-planning purpose, but it includes an under-disclosed option that can send the IDFM API key to an arbitrary server.

Install only if you are comfortable providing an IDFM PRIM API key. Use the default official PRIM/Navitia endpoint, do not pass --base-url unless you fully trust the destination, and prefer a dedicated/revocable API key.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill requires both network access and an environment-provided API key (`IDFM_PRIM_API_KEY`), but it does not explicitly declare these permissions. That creates a transparency and policy-enforcement gap: a host may allow the skill to run without clearly signaling that it can exfiltrate environment secrets or make outbound requests. In this context the functionality legitimately needs env and network access, so the issue is not that those capabilities exist, but that they are undeclared and therefore harder to review, constrain, and sandbox safely.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The CLI accepts a user-controlled --base-url and then unconditionally sends the IDFM API key in an apikey header to that endpoint. This enables server-side request forgery and credential exfiltration if an attacker can influence arguments or the agent/tool invocation, which is especially relevant in an agent skill context where tools may be invoked from natural-language-driven workflows.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal