ClawHub

Places

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Camino API wrapper for place lookup, with expected network use and no hidden persistence or unrelated data access.

Install only if you are comfortable sending place searches, addresses, optional photo requests, and any trial signup email to Camino. Use a limited or trial API key where possible, and prefer installing only this skill rather than the full companion repo unless you review the other skills too.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Low
Confidence
84% confidence
Finding
The setup flow instructs users to submit an email address to an external service to obtain a trial API key, but it does not clearly disclose that personal data is being transmitted off-platform. This is a real privacy/transparency issue because users may reveal identifying information without adequate notice or consent context.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script transmits user-supplied location data directly to a third-party remote API, but provides no explicit user-facing notice or consent checkpoint about that network transmission. Because location and address data can be sensitive, silently sending it off-host creates a real privacy and data-handling risk, especially when used in agent workflows where the end user may assume processing is local.

External Transmission

Medium
Category
Data Exfiltration
Content
fi

# Make API request
curl -s -X POST \
    -H "X-API-Key: $CAMINO_API_KEY" \
    -H "Content-Type: application/json" \
    -H "X-Client: claude-code-skill" \
Confidence
89% confidence
Finding
curl -s -X POST \ -H "X-API-Key: $CAMINO_API_KEY" \ -H "Content-Type: application/json" \ -H "X-Client: claude-code-skill" \ -d

VirusTotal

No VirusTotal findings

View on VirusTotal