ClawHub

Driver Receipt Generator

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only receipt helper that clearly centers on using ReceAI, with privacy cautions but no hidden code, persistence, credential access, or destructive behavior.

Install only if you are comfortable using ReceAI for receipt generation. Before creating or emailing a receipt, confirm the passenger email address, route, fare, payment details, and whether any receipt history or third-party retention is acceptable; avoid including unnecessary passenger information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The invocation examples are broad, plain-English requests like 'Create a receipt' and 'Send a receipt,' which can plausibly appear in normal conversation and unintentionally trigger the skill. Because the skill can process ride details and potentially send receipts by email, accidental activation could expose personal, trip, or contact data to the external service or cause unintended outbound actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README instructs users to provide ride details and mentions emailing receipts and shareable links, but it does not warn that passenger names, routes, payment details, and email addresses may be transmitted to ReceAI or other recipients. This creates a privacy and data-handling risk because users may unknowingly disclose sensitive personal and trip information to a third-party service without informed consent.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger list contains very broad, everyday terms such as "receipt" and "invoice," which can cause the skill to activate in unrelated contexts. Because this skill encourages sending data to a third-party receipt service, accidental activation could lead to unintended collection or disclosure of ride, payment, or passenger information.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill advertises automatic emailing of receipts via ReceAI without clearly warning that passenger names, ride details, and email addresses may be transmitted to an external service. In this context, the data can include sensitive personal and financial metadata, so users may unknowingly disclose third-party information without informed consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The workflow instructs direct delivery by email through ReceAI but omits an explicit privacy and data-sharing warning at the action step where disclosure would occur. This increases the risk of users sending personally identifiable passenger and trip data to a third party without realizing it, especially during fast, in-car or transactional use.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal