ClawHub

智慧餐饮

Security checks across malware telemetry and agentic risk

Overview

This restaurant assistant matches its stated purpose, but it sends personal and transaction data to a raw-IP MCP endpoint that conflicts with its stated domain and has inconsistent privacy-retention disclosures.

Review before installing with real customer data. Verify that the publisher controls the MCP endpoint, ask them to use the disclosed domain instead of a raw IP, clarify retention for member data and conversation logs, and confirm all orders, reservations, cancellations, and delivery details before approving action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill includes broad, everyday trigger phrases such as hunger or nearby-food style wording, which can cause the agent to activate in conversations that are not clearly requesting restaurant actions. In a transactional skill that can lead to menu recommendations, ordering, or reservation flows, over-broad triggering increases the risk of unintended engagement and confusing or premature tool use.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The intent rules directly map ambiguous natural-language expressions like '我饿了' or '明天聚餐' into recommendation or reservation scenarios without sufficient qualification. This can misclassify casual conversation as operational intent, which is more dangerous here because the skill is designed to progress into real booking and ordering workflows tied to restaurant backends.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The skill description is broad enough to match ordinary restaurant-related conversation, which can cause accidental invocation in contexts where the user did not intend to interact with this skill. Because the skill exposes transactional actions like ordering, reserving, queueing, and cancellation, over-broad matching increases the chance of unintended data access or triggering sensitive operations.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The manifest exposes operations that process personal data such as phone numbers, addresses, reservations, membership data, and orders, but the top-level description does not clearly warn users that the skill can create, cancel, or query real transactions. In a messaging environment, that lack of upfront disclosure raises the risk of users sharing sensitive information or authorizing impactful actions without informed consent.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal