ClawHub

Car Rental

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only car-rental helper with disclosed local storage and optional alerts, though users should choose narrow activation and memory settings.

Install only if you want a car-rental assistant that may keep local preferences, saved searches, and alert history. During setup, choose narrow activation for explicit car-rental requests if you do not want general travel conversations to trigger it, approve ~/car-rental/ storage only if you want personalization, and disable or delete local alerts and memory when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill’s activation guidance is broad enough to trigger on general requests about vehicles, renting, leasing, or deals, which can cause the agent to invoke this skill outside the user’s actual intent. Over-broad activation can lead to unnecessary data collection, irrelevant guidance, or premature prompting to create local storage and monitor searches, increasing privacy and workflow risk.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The template explicitly tells the agent to persistently store user preferences, insurance details, budgets, loyalty memberships, frequent locations, alerts, and rental history as they are 'learned from conversations,' but it provides no clear consent trigger, minimization rule, retention limit, or sensitivity boundary. In a travel context, this creates a real privacy risk because repeated storage of location patterns and financial/preferences data can build a detailed behavioral profile without the user clearly opting in each time.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The file directs creation of a persistent memory file under the user's home directory and ongoing updates containing personal preferences and frequent locations, but it includes no user-facing notice about retention, review, deletion, or privacy consequences. That makes the persistence itself risky: the agent may silently accumulate personal travel and preference data over time, increasing exposure if the file is accessed by other tools, users, or compromised processes.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill asks to activate "whenever you mention car rentals or travel," which makes the trigger scope much broader than the stated car-rental purpose. Overbroad activation can cause the skill to engage in unrelated travel conversations, collect more user data than necessary, and create opportunities for unintended file writes or persistent memory updates based on weak relevance.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal