ClawHub

Korea metropolitan bus alerts

Security checks across malware telemetry and agentic risk

Overview

The skill appears legitimate for bus alerts, but needs review because its helper can manage all Clawdbot cron jobs and does not actually enforce its DM-only delivery promise.

Review generated cron jobs before adding them, confirm the delivery target is your own DM, and be careful with list/remove because the helper can act on Clawdbot cron jobs beyond this bus-alert skill. Use a dedicated TAGO key if possible and keep the local env file and cron exports private.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script exposes generic `list` and `remove` operations over Clawdbot cron jobs without scoping them to jobs created by this skill. That exceeds the stated bus-alert purpose and can let a user enumerate or delete unrelated scheduled jobs, causing information disclosure or denial of service against other automations accessible to the same CLI context.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation claims DM-only delivery is enforced, but the code accepts any arbitrary `channel` string and never verifies that the destination is a direct-message target. In a messaging-integrated automation tool, this mismatch can route scheduled bus summaries to public or unintended channels, leaking travel patterns or personal schedule information.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The setup script modifies systemd user service configuration and restarts the Clawdbot Gateway, which affects broader agent infrastructure beyond merely configuring bus alerts. In a skill package, this enlarged control surface is sensitive because a compromised or misleading skill setup can alter execution environment for unrelated automations.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The wizard prints the full generated job JSON, including the delivery target identifier such as a Telegram chat ID, without warning or masking. This can expose personal identifiers in terminal history, logs, screen recordings, or shared support output, creating a privacy leak even if it is not a direct code-execution issue.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal