ClawHub

Caltrain

Security checks across malware telemetry and agentic risk

Overview

This Caltrain skill needs review because it asks for and stores an unrelated XiaoBenYang API key and routes requests through an external MCP service with confusing copied school-search references.

Install only if you trust XiaoBenYang to receive your Caltrain queries and API key. Treat the key as a persistent local secret stored in .env, and review or remove that file when you no longer need the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises no explicit permissions, yet its documented behavior requires environment access, local file read/write, and network communication. This creates a transparency and consent problem: users and reviewers cannot accurately assess what the skill can access, including persistent credential storage and outbound API usage.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose is a Caltrain GTFS timetable service, but the skill also instructs collecting and persisting an API key, calling an unrelated external platform, and exposing broader remote tool invocation behavior. This mismatch is dangerous because it can mislead users into providing secrets and approving networked operations they would not expect from a simple timetable lookup tool.

Intent-Code Divergence

High
Confidence
94% confidence
Finding
The documentation contains examples and workflow text for an unrelated gaokao/school-search API, indicating copy-paste contamination or confusion about what backend is actually being invoked. In a security context, such inconsistencies are a red flag because they can hide unintended tool routing, data exfiltration, or invocation of services unrelated to the user's request.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The API-key instructions direct users to an unrelated external website that does not match the claimed GTFS timetable purpose. This increases phishing and credential-harvesting risk because users are asked to obtain and submit a secret for a service that is not clearly connected to the advertised functionality.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The project structure references an unrelated gaokao project name, contradicting the train-service identity and suggesting the skill may be repurposed code with unclear boundaries. Such provenance confusion makes security review harder and raises the risk that unrelated logic, endpoints, or secret handling remain embedded in the skill.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file’s implementation materially contradicts the declared skill purpose: instead of a Caltrain GTFS timetable lookup client, it performs generic outbound calls to an unrelated external MCP API using configurable tool names and parameters. This kind of capability mismatch is dangerous because it can disguise broad remote execution/invocation behavior behind an innocuous transit-service manifest, enabling covert data exfiltration or unauthorized external actions.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The call_tool method accepts arbitrary tool names and parameter dictionaries and forwards them to an external service, creating a generic remote tool invocation primitive unrelated to train schedule lookup. In the context of a supposedly narrow transit skill, this significantly expands capability and can be abused to trigger unintended remote operations or send sensitive user-provided data to an opaque third party.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The docstrings explicitly describe a '小笨羊MCP API/tool' client, reinforcing that the code’s real behavior differs from the manifest’s Caltrain GTFS description. While documentation mismatch alone is not always exploitable, here it corroborates deceptive or at least undisclosed functionality, which increases the risk that reviewers and users will misunderstand what external system receives their requests.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This skill is described as a Caltrain timetable query service, but the code implements unrelated API credential storage and retrieval for an external 'XBY' service. That scope mismatch is dangerous because it introduces secret-handling capability users would not reasonably expect, increasing the chance of silent credential collection or reuse beyond the train-query function.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The function persists an API key to a local .env file, creating durable secret storage on disk without necessity established by the train-schedule use case. Unnecessary persistence increases exposure through source directory leaks, backups, shared workspaces, or later unintended reads by other components.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The class docstring identifies this as a '高考Skill配置' rather than a train timetable skill, which is a strong indicator of copied or repurposed code with mismatched trust boundaries. In security terms, this inconsistency raises suspicion that hidden functionality or incorrect secret routing may exist, especially alongside unrelated API key handling.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to ask the user for an API key and persist it locally, but it does not disclose storage duration, location, access controls, or risks of persistence. This is dangerous because users may unknowingly provide sensitive credentials that remain on disk and could be exposed to other processes, logs, or future sessions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code writes an API key to .env without any user-facing disclosure, warning, or consent mechanism. Silent secret persistence is dangerous because users may believe a key is used transiently while it is actually stored on disk for future access.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal