Safety Checker

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Camino API wrapper that sends user-provided coordinates to Camino for nearby safety resources, with no hidden persistence, destructive behavior, or unrelated data access found.

Install only if you are comfortable sending the locations you check, plus your Camino API key for authentication, to Camino's API. Prefer the specific skill install command rather than installing the whole Camino suite unless you want the other skills too, and avoid querying highly sensitive exact locations if that privacy tradeoff is not acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill explicitly requires shell binaries (`curl`, `jq`) and documents shell-script execution, but it does not declare corresponding permissions. This creates a capability/permission mismatch that can mislead users and tooling about what the skill is able to execute, reducing sandboxing and review effectiveness.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script sends precise user-provided latitude/longitude and radius to a third-party service without any explicit user notice, consent prompt, or local-only alternative. Because the skill is specifically about late-night safety, the shared data can reveal a user's current or intended whereabouts at sensitive times, increasing privacy risk even if the transmission is functionally necessary.

External Transmission

Medium

Category: Data Exfiltration
Content: }') # Make context API request curl -s -X POST \ -H "X-API-Key: $CAMINO_API_KEY" \ -H "Content-Type: application/json" \ -H "X-Client: claude-code-skill" \
Confidence: 84% confidence
Finding: curl -s -X POST \ -H "X-API-Key: $CAMINO_API_KEY" \ -H "Content-Type: application/json" \ -H "X-Client: claude-code-skill" \ -d

External Transmission

Medium

Category: Data Exfiltration
Content: -H "Content-Type: application/json" \ -H "X-Client: claude-code-skill" \ -d "$CONTEXT_BODY" \ "https://api.getcamino.ai/context" | jq .
Confidence: 80% confidence
Finding: https://api.getcamino.ai/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal