ClawHub

酒店竞对调研openclaw助手

Security checks across malware telemetry and agentic risk

Overview

This is a simple hotel competitor report helper with documentation gaps, but no evidence of hidden data theft, destructive behavior, persistence, or unsafe automatic execution.

Install only if you are comfortable with a basic/manual report generator rather than a full automatic search tool. Review any Excel input before use, choose the output path deliberately, and do not submit confidential hotel or business data to future API-enabled versions unless the provider and data handling are clearly disclosed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill description claims automatic nearby-hotel search and report generation, but the observed behavior includes manual data import and simulated auto-fetch behavior instead of the advertised functionality. This mismatch is dangerous because users and orchestrators may grant trust, permissions, or sensitive hotel data based on false assumptions about what the skill actually does, increasing the risk of inappropriate data handling and unsafe execution flows.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The markdown does not warn users that hotel names or related user-provided business data may be sent to a third-party API for external search. This is a real security and privacy issue because users cannot make an informed decision about data exposure, and enterprise environments may have restrictions on transmitting operational data to external services.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal