Journey

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Camino API wrapper that sends user-provided trip waypoints to Camino for route planning.

Install only if you are comfortable sending location and itinerary details to Camino. Use a dedicated Camino API key, avoid putting private home, client, or sensitive travel-security locations in requests, and prefer the scoped ClawHub or specific-skill install rather than installing the entire companion suite unless you have reviewed it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

External Transmission

Medium

Category: Data Exfiltration
Content: fi # Make API request curl -s -X POST \ -H "X-API-Key: $CAMINO_API_KEY" \ -H "Content-Type: application/json" \ -H "X-Client: claude-code-skill" \
Confidence: 97% confidence
Finding: curl -s -X POST \ -H "X-API-Key: $CAMINO_API_KEY" \ -H "Content-Type: application/json" \ -H "X-Client: claude-code-skill" \ -d

External Transmission

Medium

Category: Data Exfiltration
Content: -H "Content-Type: application/json" \ -H "X-Client: claude-code-skill" \ -d "$INPUT" \ "https://api.getcamino.ai/journey" | jq .
Confidence: 95% confidence
Finding: https://api.getcamino.ai/

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal