ClawHub

Parking Finder

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward parking-search helper that sends user-provided location queries to Camino AI using a disclosed API key.

Install if you are comfortable sending parking searches, destinations, and optional precise coordinates to Camino AI. Keep CAMINO_API_KEY private, avoid storing it in shared or synced plaintext files when possible, and use less precise location inputs for sensitive trips.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill documentation instructs users to run shell commands and script files, but the skill declares no permissions for shell/code execution. This mismatch can mislead users and downstream tooling about the skill's actual capabilities, weakening trust boundaries and permission review even though the shown commands are ordinary installation and usage steps.

VirusTotal

No VirusTotal findings

View on VirusTotal