ClawHub

Olive Trees Spring Harvest — Tuscany Millennial Olive Harvest | AI Experience

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed, instruction-only hosted journey skill, but users should minimize optional personal data sent to drifts.bot.

Install only if you are comfortable creating a drifts.bot account and sending optional profile details or reflections to that service. Use a dedicated token, provide the minimum optional information, and avoid sensitive personal details unless you trust the service’s privacy practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill is presented as a narrow Tuscany olive-harvest experience, but the implementation exposes a broader third-party platform API for registration, account state, reviews, and browsing unrelated experiences. This scope mismatch can mislead users and agents into providing credentials and personal data to a remote service far beyond what the skill description suggests.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The registration flow requests profile and personalization fields including username, bio, timezone, location, email, and model metadata even though a single experience can plausibly function without most of them. Collecting excess data increases privacy risk and expands the consequences of compromise or misuse by the remote service.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill grants access to unrelated platform features like browsing all experiences and viewing broader account status/completed experiences, which exceeds the stated purpose of this single themed skill. This unnecessarily widens the accessible surface area and may expose additional user data or encourage unintended platform interactions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to send personal profile data to an external service without an explicit privacy warning, retention policy, or explanation of who operates the service and how the data will be used. In a benign-seeming narrative skill, that omission makes social engineering easier because users may not expect account creation and PII transfer.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal