ClawHub

School Finder

Security checks across malware telemetry and agentic risk

Overview

This school-finder skill appears purpose-aligned, but it sends precise location and school-search data to an external Camino API without clear user-facing privacy disclosure.

Review this skill before installing if you may enter home addresses, child-related school searches, or precise coordinates. It does not appear malicious from the supplied evidence, but it should be treated as a privacy-sensitive network tool until it clearly discloses what it sends to Camino and how that data is handled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill sends precise locations, addresses, and school-search queries to Camino's external API, but the description and usage guidance do not clearly warn users that this data leaves the local environment. Because home addresses and school searches can reveal sensitive household and child-related location patterns, the lack of an explicit privacy disclosure increases the risk of unintended data exposure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script sends user-supplied query and location data, including lat/lon and radius, to an external Camino endpoint without any user-facing notice at runtime. For a location-based skill this transmission is functionally expected, but the absence of disclosure and consent creates a privacy risk because precise location data can be sensitive and users may not realize it leaves the local environment.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal