ClawHub

Local Poi Planner

Security checks across malware telemetry and agentic risk

Overview

This nearby-places skill is mostly purpose-aligned, but it can automatically infer sensitive current location and includes code/comments aimed at finding a non-VPN public IP.

Install only if you are comfortable with the skill using your current or approximate location for nearby recommendations and sharing addresses, coordinates, or IP-derived location with mapping/search providers. Prefer giving an explicit origin manually; avoid using automatic nearby/CoreLocation/IP fallback if you do not want the skill to infer your location or work around VPN-based privacy expectations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
import json
import subprocess

CLI_PATH = subprocess.run(
    ["which", "CoreLocationCLI"],
    capture_output=True, text=True, timeout=5
).stdout.strip() or "/opt/homebrew/bin/CoreLocationCLI"
Confidence
88% confidence
Finding
CLI_PATH = subprocess.run( ["which", "CoreLocationCLI"], capture_output=True, text=True, timeout=5 ).stdout.strip() or "/opt/homebrew/bin/CoreLocationCLI"

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The code and comments explicitly aim to discover the user's 'real (non-VPN) public IP' and prefer a provider because it is 'more likely to bypass VPN.' That goes beyond normal geolocation and attempts to defeat a privacy/security control, which can expose the user's actual network location without informed consent.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The documentation presents the feature as a benign fallback, but the docstring/comments state the actual goal is to reveal the 'real' IP behind a VPN. This mismatch is dangerous because it obscures privacy-invasive behavior from reviewers and users, increasing the chance the capability is deployed without proper scrutiny or consent.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
When the query implies 'nearby' and no origin is specified, the script automatically attempts macOS CoreLocation and then IP geolocation to infer the user's location. That collects sensitive location data without an explicit consent gate in this file, and the result is later used for provider and web queries, increasing privacy exposure.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The --corelocation flag triggers OS-level location retrieval and converts the result into coordinates for downstream processing. Although user-invoked, the file does not show a privacy notice, permission rationale, or minimization controls, so it creates a sensitive-data collection path with limited transparency.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The reverse-geocoding function sends latitude/longitude to an external Amap API, which is a network transmission of precise location data. In a local POI planner this may be functionally relevant, but the file provides no consent, disclosure, or minimization, so the privacy risk is real rather than merely theoretical.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code explicitly falls back to using IP-derived latitude/longitude as the search origin when no origin name is provided. Even though this supports location-based POI functionality, it processes approximate geolocation without any visible consent, notice, or minimization controls in this file, which creates a privacy risk and can surprise users.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill can automatically resolve the user's current location when nearby-language is detected, but the description does not present a prominent upfront privacy warning or explicit consent step before accessing device/IP-based location. Because the skill also routes data into external search/enrichment workflows, implicit location capture may expose sensitive whereabouts without the user's clear awareness.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document discloses exact filesystem locations for sensitive material, including `~/.openclaw/credentials/search.json` and a `.env.local` file containing an Amap key. Even without revealing the secrets themselves, publishing precise credential paths materially lowers the effort for an attacker, malicious plugin, or overly broad automation to locate and exfiltrate them from a developer workstation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The function sends user-supplied addresses to a third-party geocoding service without any disclosure, consent mechanism, or indication in the code path that location-related data leaves the local environment. Addresses can contain sensitive personal or business location information, so silent transmission to an external provider creates a real privacy and compliance risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script sends requests to multiple third-party IP-discovery services and then to Amap, disclosing the user's public IP and enabling city-level location inference. In an agent/skill context this can occur silently, creating a privacy leak and external data sharing without user awareness.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script can automatically determine current location from CoreLocation or IP-based lookup based on query wording alone, yet no warning or consent text appears here. Silent collection of location data is dangerous because users may not realize a generic natural-language query triggers sensitive device- or network-derived location access.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Reverse-geocoding transmits exact GPS coordinates to an external service, but the file does not present any disclosure to the user at the point of collection or transmission. This can expose highly sensitive location information to a third party without informed user awareness.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The file uses IP-based coordinates to perform nearby POI searches, but there is no visible disclosure, consent prompt, or indication to the caller that geolocation is being inferred automatically. This creates a privacy and transparency issue because location data is sensitive and may be used without the user realizing it.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal