ClawHub

Check and book Tennis and Pickleball Courts at Bay Club Gateway

Security checks across malware telemetry and agentic risk

Overview

The skill appears to automate Bay Club bookings as advertised, but it can also add hardcoded partners and accept all checkboxes before finalizing a real reservation.

Install only if you are comfortable giving it Bay Club account access and, if enabled, Google Calendar write access. Review or modify the booking path before use so it requires an explicit partner, shows any required acknowledgements, and confirms the exact reservation details before submitting.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
79% confidence
Finding
The skill invokes a shell command with environment variables and operational flags, but the manifest does not declare corresponding permissions or capabilities. This creates a transparency and policy-enforcement gap: operators may approve a skill believing it is more limited than it actually is, while the runtime can still access environment-derived secrets or configuration.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is ներկայացված as a Bay Club court booking utility, but static analysis indicates it also creates Google Calendar events using service-account credentials and accesses external Google Calendar resources. That mismatch is dangerous because it expands data access and side effects beyond user expectations, increasing the risk of unauthorized calendar modification, secret misuse, and hidden cross-service actions.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code automatically selects specific named individuals ("Samuel Wang" or "Emma Campbell") as booking partners without explicit user instruction at booking time. This exceeds the stated purpose of simple court booking and can cause unauthorized reservations, privacy issues, or actions on behalf of third parties the user did not intend to involve.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill clicks every unchecked checkbox on the page before confirmation, regardless of what each checkbox represents. This can silently accept legal terms, waivers, policies, marketing consent, or other authorizations unrelated to the user's intent, creating compliance, consent, and liability risks.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill's stated purpose is booking Bay Club courts, but the booking path also writes to Google Calendar as a side effect. That expands the skill's effective privileges beyond its declared scope and can cause unauthorized modification of a user's external account, especially since this behavior is not surfaced as a separate action.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Importing and using Google Calendar for a court-booking skill introduces an additional write-capable integration that is not justified by the skill metadata alone. Even if intended as a convenience feature, it increases the attack surface and creates a privilege mismatch between what the user expects and what the code can do.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The package manifest includes Google API and Google authentication libraries that are not obviously necessary for a skill whose stated purpose is booking Bay Club courts. Extra cloud API capability expands the skill's reachable functionality and raises the risk of hidden data access, exfiltration, or OAuth abuse if later code invokes those libraries. In this booking context, unrelated third-party API access is more suspicious because it does not align with the advertised feature set.

Missing User Warnings

High
Confidence
98% confidence
Finding
The code performs the final irreversible booking confirmation automatically, with no user approval, review screen, or warning immediately before submission. In the context of a court-booking skill, this is especially risky because it can commit reservations, fees, partner assignments, and policy acceptance without informed user consent.

Missing User Warnings

High
Confidence
99% confidence
Finding
Auto-checking all unchecked checkboxes without user-facing disclosure is a separate unsafe automation quality issue because it removes meaningful consent and bypasses review of required acknowledgments. Combined with final submission logic, it can cause the skill to complete transactions under conditions the user never saw or approved.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README promotes automatic court booking and Google Calendar modification across external services but does not clearly warn users that the skill can take real-world actions on their accounts. In an agent/WhatsApp-controlled context, this increases the risk of unintended bookings, account changes, or calendar writes triggered by ambiguous or unauthorized prompts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README instructs users to configure Bay Club credentials and Google service-account credentials without any security or privacy guidance about handling secrets. This can lead users to store highly sensitive credentials insecurely, overprivilege service accounts, or expose account access on shared hosts.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code attempts to add a Google Calendar event immediately after a successful booking without any user-facing warning, confirmation, or separate authorization step in this file. Silent writes to a third-party personal data store violate user expectations and can lead to unintended calendar modifications or privacy issues.

Unsafe Defaults

Medium
Category
Tool Misuse
Content
## Instructions
When the user asks to book or check courts:
1. Use the `shell` tool to run the implementation script.
2. The command to run is: `NODE_ENV=development STAGEHAND_ENV=LOCAL HEADLESS=true npx ts-node --transpile-only {baseDir}/bayclub_skills.ts`
3. Pass user arguments (date, time, club) as strings to the script.

## Files
Confidence
88% confidence
Finding
NODE_ENV=development

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal