ClawHub

Fishing Trip Planner

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims, but it stores API keys and trip history locally and shares trip details with map and weather providers.

Install only if you are comfortable giving AMap and QWeather your trip locations and dates. Use dedicated low-privilege API keys, avoid running the script with elevated privileges, and delete ~/.fishing-planner/ if you want to remove stored keys and trip history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs use of shell execution, network access, environment/config handling, and local file reads/writes, yet it declares no permissions or capability boundaries. This creates a real security and governance issue because users and hosting agents are not clearly informed that the skill can persist data locally and communicate with external services.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README states that each trip plan is automatically archived, but it does not clearly warn users that potentially sensitive travel data such as origin, destination, date, and travel mode will be stored persistently. In a trip-planning context, this can expose personal movement patterns or location history to other local users, backups, or logs if the host environment is shared or compromised.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill description omits a clear privacy/security warning that API keys are stored persistently in ~/.fishing-planner/config.json, trip history is archived locally, and user itinerary/location data is sent to AMap and QWeather APIs. This is dangerous because sensitive travel patterns, destinations, and credentials may be retained or disclosed to third parties without sufficiently explicit user awareness or consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide explicitly instructs users to store API keys in a local config file and to automatically save trip histories containing report metadata, but it does not warn about local privacy/security risks such as credential exposure, backups, multi-user systems, or sensitive location history retention. While local storage is common, documenting it without clear retention, redaction, and protection guidance increases the chance of accidental disclosure of secrets and personal travel data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The tool sends sensitive trip context including origin, destination, date, coordinates, and possibly tide-station/location lookups to third-party map and weather providers without an explicit privacy notice or consent step. In a trip-planning context, that can expose highly sensitive behavioral and location information to external services, especially when combined with saved local trip history.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal