ClawHub

Las Vegas

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Las Vegas guide, but it asks the agent to quietly store personal travel, budget, work, family, and relocation details in persistent memory without clear user-facing consent.

Install only if you are comfortable with the agent maintaining persistent Las Vegas notes. Before using it, ask the agent not to save personal details unless you explicitly approve, and independently verify medical, legal, tax, housing, licensing, safety, venue, and pricing information before acting on it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill directs itself to ask for automatic activation and then write an 'Active Skills' entry into persistent memory very early, even though a Las Vegas guide can function without changing long-term agent behavior. This creates unnecessary persistence and profiling for travel, relocation, and tax-related topics, expanding collection beyond what is needed for a city-guide interaction and increasing the chance of unwanted auto-invocation and privacy harm.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs saving personal profile details such as family situation, work situation, budget level, mover/resident status, and neighborhoods of interest to memory as a default behavior. For a city guide, this is broader than necessary to answer most questions and can create a persistent personal dossier that could later influence unrelated interactions or expose sensitive lifestyle and financial inferences.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The activation rule is very broad: any user asking about Las Vegas 'for any purpose' can trigger the skill, including casual mentions that do not imply consent to use this city-guide behavior. Over-broad activation can cause inappropriate routing, irrelevant responses, and increased exposure to the skill's guidance when a general assistant response would be more appropriate.

Missing User Warnings

Low
Confidence
94% confidence
Finding
This file provides detailed business-formation, licensing, tax, and employment guidance with specific fees and thresholds, but it does not clearly warn that these requirements can change and should be verified before use. In a business-compliance context, stale or overgeneralized information can cause users to form the wrong entity, miss filings, underpay taxes, or operate without required licenses.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The 'hidden gem' test relies on ethnicity and language-based heuristics such as 'Packed with Asians' and 'No English on menu' to judge restaurant quality. This is problematic because it normalizes stereotyping and exclusionary guidance, which can alienate users and encode biased decision-making into the skill's recommendations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This file gives healthcare navigation guidance, cost estimates, ER triage suggestions, mental health resources, and hospital quality information without a clear disclaimer that it is informational only and not a substitute for professional medical advice. Users may rely on the content for care decisions, especially around urgent vs emergency treatment, and outdated or generalized guidance could delay appropriate treatment or mislead vulnerable users.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The template explicitly instructs creation and ongoing maintenance of a persistent memory file containing user travel, relocation, budget, family, and preference data, but provides no user notice, consent flow, retention limit, or guidance on minimizing sensitive data collection. This creates a privacy and data-governance risk because the agent may silently accumulate personal context across interactions in a way the user does not expect.

Missing User Warnings

Low
Confidence
93% confidence
Finding
The file explicitly advises users to 'Drive neighborhoods' while discussing areas flagged elsewhere in the document as having higher crime, being rough, or requiring caution, but it does not provide basic personal-safety guidance for scouting those areas. In a travel/relocation skill, users may reasonably act on this advice, creating avoidable real-world safety risk such as visiting unfamiliar neighborhoods alone, at night, or without verification of listings and surroundings.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
The section 'No if you' includes 'Value diversity and grit' as a reason not to live in Summerlin, which frames diversity as an undesirable trait in housing suitability guidance. In a neighborhood-selection skill, this can steer users using protected-characteristic-adjacent preferences and reinforce discriminatory housing narratives, creating fair-housing and reputational risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The file tells the skill to save user context to memory and 'confirm saves naturally' while also instructing it to never mention internal storage, which means persistence may occur without a clear user-facing notice. Silent persistence undermines informed consent and makes users less able to understand, challenge, or limit ongoing storage of their travel, relocation, and personal profile information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The family itinerary lists attractions such as Bodies exhibit and Marvel Avengers STATION without clearly warning that exhibit availability, content suitability, or age-appropriateness may vary. In a family-travel context, this can mislead caregivers into planning child-focused activities that may be restricted, disturbing, or unsuitable for some children, causing avoidable exposure and disruption.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The nightlife section presents guidance under binary gender categories and ties access, cost, and treatment to those categories without inclusive alternatives or caveats. This can exclude non-binary, transgender, or gender-nonconforming users, and may lead users to rely on advice that does not fit their identity or could expose them to awkward or unsafe situations at venues with inconsistent door policies.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal