ClawHub

Life Query

Security checks across malware telemetry and agentic risk

Overview

This skill performs the daily lookup functions it advertises and discloses its external services, including the free courier-tracking proxy.

Install only if you are comfortable sending package tracking numbers, optional carrier codes, currency queries, province names, and city names to the listed external services. Configure your own Kuaidi100 credentials if you prefer direct courier lookup instead of the free fenxianglife.com proxy.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
When first-party credentials are absent, the script silently sends the user's tracking number and optional carrier code to a third-party proxy service. Tracking numbers can reveal personal shipment activity and, in context, this skill handles user-supplied logistics data, so undisclosed forwarding to an unrelated proxy meaningfully increases privacy and data-sharing risk.

External Transmission

Medium
Category
Data Exfiltration
Content
print(json.dumps(d))
" "$TRACKING_NUMBER" "${CARRIER_CODE:-}")

  RESP=$(curl -sf --max-time 15 -X POST \
    -H "Content-Type: application/json" \
    -d "$BODY" \
    "https://api.fenxianglife.com/fenxiang-ai-brain/skill/courier/track" 2>/dev/null) || {
Confidence
96% confidence
Finding
curl -sf --max-time 15 -X POST \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
RESP=$(curl -sf --max-time 15 -X POST \
    -H "Content-Type: application/json" \
    -d "$BODY" \
    "https://api.fenxianglife.com/fenxiang-ai-brain/skill/courier/track" 2>/dev/null) || {
    echo '{"status":"error","error_type":"api_unavailable","service":"fenxianglife.com","suggestion":"快递查询服务暂时不可用,请稍后重试。如有自有快递100凭证,可设置 KUAIDI100_KEY 和 KUAIDI100_CUSTOMER 环境变量直连。"}' >&2
    exit 1
  }
Confidence
95% confidence
Finding
https://api.fenxianglife.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal