ClawHub

Planefilter

Security checks across malware telemetry and agentic risk

Overview

This is a read-only flight aircraft lookup skill that uses disclosed aviation APIs, with privacy and API-key caveats but no evidence of hidden, destructive, or unrelated behavior.

Install this only if you are comfortable sending flight numbers and dates to OpenSky, AeroDataBox/RapidAPI, and optionally AirLabs. Use limited API keys where possible, monitor API quota, and avoid enabling the optional AirLabs key in environments that log full request URLs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The security annotation states that the module accesses no endpoints, but the code exposes generic GET and POST helpers that can contact arbitrary HTTP or HTTPS URLs. This creates a misleading trust boundary for reviewers and automated tooling, and if higher-level code passes user-influenced URLs, the module can enable SSRF, data exfiltration, or unexpected outbound network access.

Vague Triggers

Medium
Confidence
74% confidence
Finding
The trigger list includes broad phrases such as 'flight number' and 'what plane', which can cause the skill to activate on generic user requests outside the user's clear intent. Overbroad activation can route more conversations and potentially sensitive travel-related queries to this skill and its external providers than necessary.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill sends flight queries to third-party aviation APIs, but the description does not clearly warn users that their requested flight number/date may be transmitted externally. This creates a transparency and privacy risk because travel queries can reveal itinerary interests or other sensitive context without informed user awareness.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal