ClawHub

New Zealand

Security checks across malware telemetry and agentic risk

Overview

This New Zealand travel-planning skill is coherent and locally scoped, though users should know it keeps trip preferences in a local memory file.

Install only if you are comfortable with the agent keeping New Zealand trip notes in ~/new-zealand/memory.md. Avoid saving passport numbers, payment details, or sensitive documents there, and review or delete the file when you no longer want that trip context retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation trigger 'When the user first brings up New Zealand travel' is vague enough that the skill may activate in loosely related conversations, causing unexpected behavior and premature data collection. In this skill, that ambiguity matters because activation immediately leads into creating persistent storage and gathering personal trip constraints.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs creation of a persistent memory file and storage of user travel preferences and constraints without any user-facing disclosure or consent step. This creates a privacy risk because sensitive personal details like mobility limits, budget constraints, and itinerary anchors may be retained unexpectedly across sessions.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The returning-user flow explicitly says to read persisted memory 'silently,' meaning the system accesses stored user data without notifying the user. Hidden reuse of prior travel preferences and constraints undermines transparency and can expose or act on stale or sensitive information the user did not expect to be recalled.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal