ClawHub
Back to skill

Security audit

Make and Model Recognition

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it sends a user-chosen vehicle image to TrafficEye for make, model, and license-plate recognition.

Install only if you are comfortable sending selected vehicle images and any detected license plate data to TrafficEye. Use an environment-scoped TrafficEye API key, prefer header or bearer authentication, and avoid using query-string API keys unless your deployment specifically requires them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares environment requirements and describes reading a local image file and sending it to a remote API, but it does not explicitly declare permissions or prominently communicate those capabilities. This weakens transparency and reviewability, increasing the chance that users or hosting platforms invoke a networked, file-reading skill without understanding its data access and outbound transmission behavior.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly uploads a user-supplied local image to a third-party service, but the instructions do not provide a clear warning that data leaves the local system or advise users to avoid sensitive images. Images of vehicles and license plates can contain personal or regulated information, so silent transmission to an external API creates privacy, compliance, and consent risks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal