ClawHub

17TRACK

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real 17TRACK package-tracking skill, but it has review-worthy safety gaps around webhook trust and automatic deletion of local tracking records.

Install only if you are comfortable giving it a 17TRACK API token and letting it maintain a local shipment database. Avoid webhook mode unless it is bound locally or protected by trusted network controls, because invalid signatures are not rejected. Review or disable the daily-report cleanup if you want to keep delivery history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The webhook ingestion path computes and records signature validity but does not enforce it before storing and applying the payload to the local database. An attacker who can reach the webhook endpoint or feed files into the inbox can inject forged tracking updates, create package rows, and poison shipment history, which exceeds a safe parcel-tracking-only trust boundary.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The README explicitly encourages broad trigger phrases like 'where is my package?' and 'any updates on my orders?' without clear scoping or confirmation requirements. In an agentic environment, ambiguous activation can cause the skill to run on ordinary conversation and initiate package-status lookups or related actions when the user did not clearly intend to invoke shipment tracking.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README states that delivered packages are 'automatically removed by daily reports' but does not warn users about retention loss, deletion timing, recoverability, or how to disable the behavior. Automatic deletion of tracking records can lead to unintended data loss, loss of audit/history, and surprise removal of user-maintained shipment metadata.

Vague Triggers

High
Confidence
97% confidence
Finding
The description includes very broad trigger phrases such as 'track this', 'where is my order', and 'any updates on my package', which overlap with ordinary user speech and can cause the skill to be invoked in contexts where the user did not explicitly consent to using this package-tracking integration. Because the skill has network and local data storage behavior, over-broad routing increases the chance of unintended API use, data persistence, and action execution.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documents automatic cleanup that removes delivered packages from the local database, but it does not provide a prominent warning, retention policy, or confirmation mechanism. Silent deletion can cause loss of shipment history and auditability, and is riskier here because the skill maintains a persistent SQLite store that users may reasonably expect to remain intact unless they explicitly opt in to cleanup.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script automatically removes delivered packages during report generation without an explicit user confirmation step or opt-in flag. In an agent context, this is dangerous because a read-like reporting action also performs irreversible state mutation, which can cause silent data loss, destroy audit history, and make later investigation or reconciliation impossible.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Unauthenticated webhook payloads are not only accepted but also stored in the payloads table and used to update package state, while the user-facing flow only prepends a summary note such as 'INVALID signature' or 'no signature header'. This makes it easy for operators to assume the data was safely handled even though attacker-controlled network input was trusted and persisted.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal