ClawHub

Used car recommender

Security checks across malware telemetry and agentic risk

Overview

This used-car advisor is coherent and disclosed, but it searches external car sites and may fetch listing images, so users should understand those data flows.

Install dependencies in a virtual environment, provide only the location precision you are comfortable sharing, and treat AI listing/photo analysis as screening help only; verify MOT, HPI, service history, seller identity, and vehicle condition independently before buying.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (17)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill embeds concrete local Python command lines and tells the agent to run them to perform searches. In a prompt-driven agent environment, operational instructions like this can turn a content skill into an execution pathway, increasing the risk of unintended code execution, network access, or abuse of local tooling beyond user expectations.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The document explicitly instructs the agent to use a Shell tool to run local CLI commands, which expands the skill from advisory behavior into command execution. Even though the shown commands are car-search related, enabling shell execution increases the attack surface because later prompts or modified parameters could trigger unintended local command execution or access to local resources.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The documentation materially expands the skill from a recommender/advisor into a live listing retrieval and scraping workflow. That creates undeclared data access and execution behavior, increasing the attack surface and user/tooling expectations beyond the manifest-defined scope, which is a genuine security governance issue even if the functionality is not overtly malicious.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The documented image-fetching and photo-analysis workflow adds a new remote-content retrieval capability and encourages fetching untrusted URLs for analysis. This extends the skill beyond recommendation into network access and content inspection, which can expose the agent environment to unreviewed external resources and create SSRF-like or policy-bypass risks depending on how the Read tool resolves URLs.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The guide instructs the agent to execute a local CLI tool even though the skill is presented as an advisor/recommender. Invoking local programs is a sensitive capability because it can introduce command execution, dependency trust, and environment access risks that are not justified by the declared skill purpose alone.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Using the Read tool to fetch remote images from listing-provided URLs is an extra capability not covered by the manifest and processes attacker-controlled external input. In skill context, this is more dangerous because listing content and URLs are inherently untrusted, so the agent may be induced to access unexpected hosts or resources under the guise of image inspection.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill is configured to auto-activate on very broad phrases like 'used car', brand names with 'used', and common buying topics. In practice, this can cause the agent to invoke the skill in ordinary conversation and begin using live-search functionality or steering the session without a strong, explicit user request, increasing the chance of unintended external actions or overcollection of context.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README states that the skill will download and analyze listing photos, but it does not clearly require an explicit user consent step or warn that external image URLs will be fetched. That creates a privacy and safety risk because the agent may access third-party resources automatically, potentially leaking user interest/context through network requests and surprising users with external data access.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list contains many broad, generic automotive shopping terms such as brand names, 'reliability', 'mileage', 'service history', and 'car photos', which can match ordinary conversations that do not actually request this skill. This creates a real unintended-invocation risk, causing the agent to route users into this skill when they are asking general questions, discussing cars casually, or seeking non-UK advice.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation encourages postcode-based searches across external platforms and scraping workflows without warning that user-provided location data will be sent to third-party services. In a consumer advisory skill, postcodes can be sensitive enough to reveal approximate home or work area, so omission of disclosure and consent guidance creates a real privacy risk, especially when combined with multi-platform transmission.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The guide instructs the agent to fetch remote image URLs directly via the Read tool without requiring user notice, consent, or URL validation. This can cause unintended external network access and exposure to attacker-controlled URLs, creating SSRF-like behavior, privacy leakage, or retrieval of untrusted content outside user expectations.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The documentation encourages users to run multi-platform searches with inputs like postcode, budget, and vehicle preferences, but it does not disclose that these queries may be transmitted to third-party marketplaces. While this is not an exploit by itself, it is a real privacy and transparency issue because users may unknowingly share location-linked search data with external services and trigger third-party tracking or logging.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
beautifulsoup4>=4.12.0
lxml>=5.0.0
Confidence
92% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
beautifulsoup4>=4.12.0
lxml>=5.0.0

# Optional: AutoTrader support (recommended for better data quality)
Confidence
90% confidence
Finding
beautifulsoup4>=4.12.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
beautifulsoup4>=4.12.0
lxml>=5.0.0

# Optional: AutoTrader support (recommended for better data quality)
# Uncomment the line below to enable AutoTrader search:
Confidence
93% confidence
Finding
lxml>=5.0.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
96% confidence
Finding
requests

Known Vulnerable Dependency: lxml — 10 advisory(ies): CVE-2021-43818 (lxml's HTML Cleaner allows crafted and SVG embedded scripts to pass through); CVE-2014-3146 (lxml Cross-site Scripting Via Control Characters); CVE-2021-28957 (lxml vulnerable to Cross-Site Scripting ) +7 more

High
Category
Supply Chain
Confidence
95% confidence
Finding
lxml

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal