ClawHub

Spain

Security checks across malware telemetry and agentic risk

Overview

This Spain travel helper is a markdown-only guide that stores trip preferences locally, with some broad memory wording users should understand before enabling.

Install this if you want a Spain travel assistant that keeps trip context locally. Avoid saving sensitive health or accessibility details unless needed, and answer no to the broad 'jump in whenever Spain comes up' prompt unless you want that persistent behavior across future conversations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Low
Confidence
94% confidence
Finding
The template explicitly instructs creation of a persistent memory file containing traveler notes, preferences, dietary needs, mobility information, and trip details, but provides no warning, consent language, retention guidance, or data minimization controls. This creates a real privacy risk because potentially sensitive personal data is being stored on disk in a predictable location (`~/spain/memory.md`) where it may persist longer than the user expects or be accessed by other tools.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation condition "when `~/spain/` doesn't exist or is empty" plus "Start naturally" is underspecified and can cause the skill to engage without a clear, user-scoped trigger. In a travel assistant context, that raises the risk of unsolicited memory initialization or broad intervention in ordinary Spain-related conversation, which can confuse users and over-collect trip preferences.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The prompt "Want me to jump in whenever Spain comes up?" creates an open-ended standing authorization with no limits on topic, duration, or context. That can lead to persistent triggering across unrelated conversations mentioning Spain and increase the chance of unnecessary monitoring, interruption, or collection of travel-related personal data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal