ClawHub

DiDi Ride SKILL

Security checks across malware telemetry and agentic risk

Overview

This DiDi ride skill is coherent for ride booking, but it asks users to share and persist a credential in chat and can create real or scheduled ride orders with limited confirmation safeguards.

Review before installing. Use a secure configuration method for DIDI_MCP_KEY rather than pasting the key into normal chat, confirm what account permissions the key grants, and be aware that this skill can place real ride orders, schedule future ride orders, store addresses and phone numbers, and send delayed status notifications.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The README describes automatic background scheduling, follow-up status polling, and push-style notifications that go beyond a simple on-demand transportation/query entry point. In a mobility skill, this expands the operational scope from user-initiated actions to persistent autonomous behavior, increasing the chance of unintended actions, privacy exposure, and hidden side effects.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
Documenting cron-task creation for scheduled rides and automatic status polling indicates the skill may create persistent background jobs not obviously necessary for a basic mobility entry skill. That matters because background execution can trigger actions later without fresh user review and can continue processing trip/order data outside the immediate request lifecycle.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The README tells users to paste their MCP key directly into chat and says the AI will persist it automatically. Encouraging secret submission through conversational channels increases the risk of credential leakage through logs, transcripts, model memory features, support tooling, or unintended reuse by the agent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The quick-start flow instructs users to provide an MCP key in chat without any warning about credential sensitivity or safer alternatives. This normalizes insecure secret handling and can expose API credentials to conversation history, telemetry, third-party integrations, or future prompt leakage.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README describes automatic ride dispatch and scheduled task creation without prominently warning that these behaviors can create real-world orders, process location/order data, and incur user-visible consequences. In a transportation skill, silent automation is especially risky because mistakes can cause charges, trip creation, and privacy-impacting background checks.

Missing User Warnings

High
Confidence
98% confidence
Finding
The README explicitly instructs users to paste their MCP KEY directly into the AI chat, which encourages disclosure of a credential through a conversational channel that may be logged, retained, or exposed to other tools and operators. Because this skill handles ride-ordering and location-related actions, compromise of the key could enable unauthorized API use and access to sensitive travel workflows.

Missing User Warnings

High
Confidence
99% confidence
Finding
The README states that the AI will automatically persist the user's MCP KEY after the user sends it in conversation, without an explicit consent or warning about how and where the credential will be stored. Silent or poorly explained persistence of secrets increases the risk of unintended retention, leakage through logs/backups, and reuse by other components beyond the user's expectations.

Vague Triggers

High
Confidence
98% confidence
Finding
The trigger scope is intentionally expansive: it mandates use of this skill for almost any travel-related utterance, including common phrases like going home, commuting, route planning, nearby search, and order lookup. In an agent environment, such broad matching can cause over-invocation, unintended collection/use of location and ride-order context, and routing users away from more appropriate tools or safer clarification-first behavior.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to accept a user-supplied MCP key in chat and persist it to configuration, but it provides no user-facing warning about the sensitivity, storage duration, reuse by future sessions/cron jobs, or safer alternatives. This creates a credential-handling risk: users may paste long-lived secrets into conversation without informed consent, and the key may be retained beyond the immediate task context.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The API reference explicitly documents `taxi_create_order` as creating a real ride order directly and automatically, but it does not require or even warn about obtaining explicit user confirmation before invoking an irreversible real-world action. In an agent setting, this materially increases the risk of unauthorized purchases, unwanted ride dispatches, disclosure of a rider phone number, and physical-world safety issues if the model misinterprets user intent or is prompt-injected into ordering a car.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal