ClawHub

Trail Nav via Telegram (low-token)

Security checks across malware telemetry and agentic risk

Overview

The skill’s route guidance features are coherent, but its setup scripts can install unpinned external code and persistently modify OpenClaw configuration, so it needs review before use.

Install only if you are comfortable with a setup script that downloads external code, runs npm commands, and modifies your OpenClaw configuration. Review the outsideclaw repository first, consider pinning a known commit, avoid --restart until you have checked the config diff, and treat weather/map features as online features that may disclose route or location context to third parties.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (23)

Lp3

Medium
Category
MCP Least Privilege
Confidence
79% confidence
Finding
The skill declares itself as offline-capable hiking guidance, but the manifest documents networked and environment-sensitive capabilities without any explicit permission declaration or narrowing of scope. This is dangerous because operators may deploy it with broader trust than warranted, while the skill can reach external services and local environment/configuration surfaces indirectly through its bundled scripts.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
This is a strong true positive: the skill is marketed as offline-capable route guidance and trip prep, but it also includes live network fetches, external repo installation/update, config patching, and optional gateway restart. Such description-behavior mismatch is dangerous because users may authorize the skill for benign navigation use while it performs system-modifying actions and reaches external services far outside that trust boundary.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The bundled scripts materially exceed the stated hiking/navigation purpose by installing outside repositories and patching OpenClaw configuration. Hidden or underemphasized administrative functionality increases the chance of unintended privilege use, supply-chain exposure, and persistent changes to the host environment.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
One-click setup, configuration patching, and optional gateway restart are not necessary for ordinary hiking route guidance and therefore expand the attack surface beyond the skill's core function. In context, this makes the skill more dangerous because a user seeking navigation help may unknowingly introduce system-level changes and service disruption capabilities.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The documentation explicitly directs users to install the full outsideclaw repository/CLI and modify OpenClaw configuration, which is materially broader than the declared skill scope of route guidance, route discovery, and trip-prep assistance. This creates a supply-chain and privilege-expansion risk because operators may trust the skill as narrowly scoped while the documented setup brings in a larger codebase and alters agent runtime configuration.

Intent-Code Divergence

Low
Confidence
77% confidence
Finding
The safety wording understates the effect of the setup by saying it 'only appends the skill entry' while the same document states that it patches an OpenClaw config JSON and may restart the gateway. Misleading safety claims can cause operators to underestimate the extent of system changes, reducing scrutiny around configuration integrity and deployment impact.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script advertises offline operation, but enabling `--wx on` causes a live request to Open-Meteo. This discrepancy can mislead operators into deploying it in privacy-sensitive or no-network contexts, causing unexpected data egress and operational policy violations.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The comments state 'No LLM involved' and 'Works offline', yet the code contains an online weather-fetch path. In agent workflows, misleading trust signals are dangerous because they can bypass review assumptions and result in unapproved external communication.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The header states the tool works offline, but enabling `--wx on` causes live requests to Open-Meteo with precise latitude/longitude and timezone. That mismatch can mislead operators into using the script in privacy-sensitive or disconnected contexts, creating unanticipated data disclosure and reliability issues.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script is presented as deterministic offline route guidance, yet it also includes remote weather retrieval logic. In a hiking/Telegram workflow, hidden online behavior is more dangerous because users may assume no external communications while sharing current route-adjacent location data.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The script pulls code from a remote Git repository and immediately installs and runs project setup via npm. That creates a software supply-chain and arbitrary code execution path during setup, because a compromised repository, changed dependency, or attacker-controlled override of OUTSIDECLAW_REPO_URL can execute code on the host. In the context of an agent skill for hiking guidance, this behavior is broader than the stated user-facing functionality and increases risk because it bootstraps unpinned external code.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Running npm install and npm run setup executes code defined by the downloaded project and its dependency tree, including lifecycle scripts. This is dangerous because it can lead to arbitrary command execution, persistence, credential theft, or environment tampering if the package tree or repository is malicious or compromised. The skill context does not require unrestricted installation-time code execution, so this is more dangerous than if it were a clearly scoped package-management skill.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script claims an offline-capable route guidance use case, but the generated HTML loads Leaflet JS/CSS from unpkg and map tiles from OpenStreetMap over the network. This creates an undeclared online dependency and exposes route viewport/location data to third-party services, which is especially relevant for hiking routes that may reveal sensitive trip locations.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The renderer loads Leaflet JavaScript/CSS from unpkg.com and OpenStreetMap tiles at runtime, so it is not actually offline-only and will make third-party network requests when rendering. In this hiking-route context, those requests can disclose that route rendering occurred and may expose route/geographic interest data to external services, undermining privacy and reliability assumptions.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This script materially expands the skill beyond its declared scope by adding weather forecasting and alerting logic. In an agent setting, undocumented capabilities are security-relevant because they can trigger unexpected decisions, broaden data flows, and make review and policy enforcement harder, especially when the manifest emphasizes offline-capable route guidance rather than live forecasting.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code introduces live access to an external weather API even though the skill is described as offline-capable Telegram route guidance. This creates an undocumented network dependency and transmits precise location data externally, which can expose user whereabouts and break assumptions that the skill operates without external connectivity.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The weather request sends precise latitude and longitude to a third-party API without any user-facing notice, consent, or minimization. For a hiking/Telegram skill, location data is highly sensitive because it can reveal a user's real-time whereabouts and travel patterns.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends latitude, longitude, timezone, and forecast parameters to `api.open-meteo.com` without any explicit user-facing disclosure in output or usage flow. For a hiking guidance skill handling live location, silent third-party transmission is a meaningful privacy issue, especially in sensitive travel or wilderness contexts.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script is explicitly designed as a 'one-click setup' that installs software, patches a user-supplied OpenClaw configuration, and may restart the gateway, but it does not present an interactive warning or confirmation before making those state-changing actions. In an agent-skill ecosystem, packaging these side effects behind a convenience script increases the risk of unintended installation or configuration drift, especially if invoked by a user or automation that does not fully inspect the script first.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script invokes a secondary setup script directly without additional runtime disclosure or user confirmation, so the effective behavior depends on another file whose actions may be broader than the caller visibly communicates. This is dangerous because users may treat the wrapper as a simple config helper while it actually chains into installation logic, increasing the chance of unexpected system changes or abuse if the subordinate script is modified.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The generated page requests third-party assets and tiles without any notice to the operator, which can disclose route-related geographic areas, timing, IP address, and usage metadata. In the context of hiking and overnight trip planning, route privacy may matter for personal safety, sensitive locations, or operational secrecy.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script makes external requests for CDN-hosted Leaflet assets and OpenStreetMap tiles without warning the user, which is dangerous in an 'offline-capable' hiking workflow where users may reasonably expect route data handling to stay local. Even if exact coordinates are embedded locally in the HTML, requesting map tiles for the route viewport leaks location context and usage metadata to third parties.

External Transmission

Medium
Category
Data Exfiltration
Content
"visibility",
  ];

  const url = new URL("https://api.open-meteo.com/v1/forecast");
  url.searchParams.set("latitude", String(lat));
  url.searchParams.set("longitude", String(lon));
  url.searchParams.set("timezone", tz);
Confidence
98% confidence
Finding
https://api.open-meteo.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal