ClawHub
Back to skill

Security audit

Ship Position

Security checks across malware telemetry and agentic risk

Overview

This maritime skill is not malicious, but its mailbox-based charter workflow has sensitive access and persistence that users should review before installing.

Install only if you intend to use HiFleet authenticated maritime lookups and are comfortable with the charter module accessing a mailbox. Use a dedicated mailbox or app-specific IMAP password, protect config.json and local memory/SQLite files, avoid untrusted HIFLEET_API_BASE or *_API_BASE overrides, and treat email-derived charter data as potentially sent to HiFleet APIs and an LLM after redaction.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The documentation claims the skill only performs fixed read-only API requests, but elsewhere it also advertises charter email-search workflows. That inconsistency can hide additional data access paths, including potentially sensitive mailbox content or broader integrations, undermining security review and least-privilege assumptions.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file-level description says the tool only writes/searches SQLite charter facts, but the implementation also sends data to remote HiFleet APIs for enrichment and port-distance queries. That mismatch is security-relevant because operators may run the tool assuming it is local-only while parsed email-derived shipping data is actually transmitted off-host.

Vague Triggers

Medium
Confidence
71% confidence
Finding
The charter trigger set mixes very broad commercial and email-related terms, increasing the chance that the skill is invoked for unrelated business conversations. Because this feature area includes mailbox search workflows, overbroad triggering could expose or process sensitive email-derived data without sufficiently clear user intent.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The route-B trigger definition uses broad, non-exhaustive examples without a tight decision boundary, which can cause the agent to select the schedule API flow for ambiguous user requests. In this skill, that matters because route selection changes data source, authorization behavior, and whether paid unlock actions may be suggested, so misrouting can lead to unintended data access patterns or incorrect handling of user intent.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The manifest description advertises a very broad set of capabilities and says to use the skill for many maritime, email-search, routing, weather, fleet, and AIS tasks without concrete trigger boundaries. In an agentic environment, this can cause over-invocation on loosely related prompts, increasing the chance that the skill accesses email-backed data, local memory/SQLite stores, or external APIs when a narrower tool would be safer.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow explicitly asks the user to provide a third-party email client password and then instructs the assistant to test connectivity to the IMAP server, which implies transmitting highly sensitive credentials over the network. Although this is functionally related to mailbox search, the skill does not require explicit informed consent language, warn about credential handling risks, or mandate secure secret storage beyond broad guidance, creating unnecessary exposure of mailbox credentials.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code posts shipping and email-derived data such as port names, IMO identifiers, and distance query inputs to external APIs without any explicit in-file warning or consent gate. In this skill context, the data originates from parsed chartering emails and operational records, so silent transmission can expose commercially sensitive logistics information to an external service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document instructs clients to send the API key as a GET query parameter, which commonly exposes credentials through browser history, proxy logs, server access logs, monitoring tools, and referrer leakage. In this skill context, the risk is real because the API key is a reusable secret for a commercial vessel-data service, and the document does not warn users or steer them toward a safer transport mechanism.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The Ship Position triggers include very generic terms such as '位置', '在哪', 'location', and 'where is', which can match ordinary user utterances unrelated to vessel tracking. In an agentic routing system, this can cause unintended invocation of the skill and unnecessary access to maritime data or downstream APIs, especially when multiple tools are available.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The Port guide trigger list uses broad generic words like '港口', 'port', and 'port info', which are ambiguous and may collide with normal conversation or non-maritime requests. Because this skill can query authenticated port APIs, accidental routing may expose internal capability use, consume API quota, or return irrelevant operational data.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The Charter triggers include very broad business terms such as 'contract', 'line', 'schedule', and 'cargo', which are highly ambiguous outside shipping workflows. This is more dangerous in context because the charter module may access email search, memory, and authenticated HiFleet APIs, so misrouting could touch sensitive communications or invoke higher-risk actions than the user intended.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script places the API key in the query string, which can be exposed through logs, browser/history equivalents, proxy logs, monitoring tools, shell history if URLs are echoed, and upstream infrastructure. Even over HTTPS, URL query parameters are more widely recorded than headers, so credential leakage risk is materially higher.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Allowing HIFLEET_API_BASE to override the destination host means the script can be pointed at any external server while still appending the API key to requests. In this file, because the key is also sent as a URL parameter, a malicious or misconfigured base URL can directly exfiltrate credentials to an attacker-controlled endpoint.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal