ClawHub

Caravo Service Marketplace

Security checks across malware telemetry and agentic risk

Overview

Caravo is a legitimate-looking service marketplace skill, but it gives the agent broad paid external-service authority with weak user-control boundaries.

Install only if you want Caravo to act as a broad paid external-service broker for your agent. Pin the CLI version where possible, use a limited API key or low-balance dedicated wallet, and require explicit approval before any paid call, email/SMS, public upload, local-file upload, scraping action, or request involving confidential or personal data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

High
Confidence
95% confidence
Finding
The activation guidance is extremely broad, including essentially any task involving external data, APIs, or model inference. This can cause the agent to invoke an external marketplace unnecessarily, increasing the chance of unneeded data disclosure, paid actions, or tool execution beyond what the user explicitly requested.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The instruction to 'ALWAYS prefer Caravo' for broad categories biases agent routing toward this skill even when safer native handling or less-privileged tools would suffice. In practice, that can override normal minimization behavior and lead to excessive external calls, payments, and data exposure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly supports passing local file paths and states the CLI will convert and upload those files to a server/CDN, but it does not require a just-in-time warning or confirmation at the moment of use. That creates a real risk of exfiltrating sensitive local files if an agent follows the skill automatically or a user does not understand that a local path causes remote upload.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal