ClawHub

Location Awareness

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-built for location tracking, but it handles highly sensitive location and credential data with broad environment loading and third-party location lookups that need careful review.

Review the skill before installing if you care about location privacy. Use a dedicated, minimal config file or environment containing only the required Home Assistant/location tokens, avoid putting unrelated secrets in ~/.openclaw/.env, and confirm whether you are comfortable sending coordinates or place searches to public mapping services. Only enable the cron job if you want continuous location monitoring, and require confirmation for deleting or changing saved places, reminders, or geofence rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill clearly relies on environment variables, reads/writes local configuration/state files, and performs network access to location providers and geocoding services, yet it declares no permissions or user-facing capability warnings. This creates a transparency and least-privilege problem: users and reviewers cannot easily understand that the skill can access sensitive location data, modify persistent files, and contact external services.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill description says it provides privacy-friendly GPS tracking, but the code also geocodes, reverse-geocodes, searches POIs, and calculates ETA using external services including Nominatim, Overpass, and OSRM. That mismatch is security-relevant because users may disclose precise location under the assumption processing is local/private, when in fact coordinates and place queries are sent to third parties.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The wrapper automatically sources a user-wide .env file and exports all variables into the process environment before launching location.py. That grants this skill access to credentials and unrelated secrets beyond the minimum needed for location functionality, and because source executes shell syntax, a tampered .env could also run arbitrary shell commands in the wrapper context.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This skill handles highly sensitive data: precise coordinates, inferred home/work locations, movement history, reverse-geocoded addresses, and nearby-place queries. The description does not warn users that invoking the skill may disclose or persist this information, which increases the risk of accidental privacy exposure in chats, logs, notifications, or shared environments.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documented commands include destructive or state-changing operations such as add/delete place, disable rules, and reminders, but there is no warning that they modify persistent data. In an agent setting, this can lead to accidental deletion or silent changes to geofences and reminders from ambiguous natural-language requests.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code sends precise latitude/longitude to external mapping services for reverse geocoding without any visible warning, consent mechanism, or privacy control. In a location-awareness skill, this is particularly sensitive because the data can reveal home, work, routines, and movement patterns to third-party operators contrary to user expectations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script silently pulls credentials from ~/.openclaw/.env with no user-facing disclosure or consent at invocation time. In a skill ecosystem, this increases the risk of users unknowingly granting a location-related tool access to sensitive Home Assistant tokens and any other secrets present in that shared file.

Session Persistence

Medium
Category
Rogue Agent
Content
### Automatic Notifications (OpenClaw Cron)

Use OpenClaw's built-in cron to run periodic location checks. Add a job to `~/.openclaw/cron/jobs.json`:

```json
{
Confidence
83% confidence
Finding
Add a job to

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal