ClawHub

Parcel Station Route Qr

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches a parcel-station QR chatbot, but it bundles an unrelated Notion sync script that reads local credentials and sends data to Notion without disclosure.

Review this skill before installing. The parcel-station route and QR instructions are coherent, but the package should remove or clearly document the unrelated Notion sync script, including what credentials it reads and what data it sends. If used, add a QR confirmation step before sending decoded content and only bypass self-signed certificate warnings for local development on a trusted network.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This file is a standalone Notion synchronization CLI that is unrelated to the declared parcel-station route guidance and QR scanning functionality. In a skill package, unrelated code that reads local secrets and syncs user content externally materially increases supply-chain risk because it expands capabilities beyond the stated purpose and could be used to exfiltrate operational or user data.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code reads Notion credentials from local config files and uses them to make authenticated external API calls, despite no clear connection to the skill's stated purpose. This creates an unjustified secret-access and outbound-network capability that could expose locally stored credentials and transmit user or operational data to a third party without appropriate scope limitation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The QR workflow explicitly says decoded content is automatically sent after scanning, without a review or confirmation step. QR codes can encode malicious URLs, prompt-injection text, or unintended commands, so auto-submission increases the chance of phishing, unsafe navigation, or injection into the chatbot context.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The instructions tell users to click through a self-signed certificate warning without clearly explaining the trust and MITM risks. Training users to bypass browser TLS warnings normalizes unsafe behavior and could lead them to ignore legitimate certificate attacks in other contexts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Reading API keys and database identifiers from a user's local configuration without any user-facing disclosure is a privacy and trust violation, especially inside a skill whose advertised purpose does not mention Notion integration. Even if the files are expected in a developer environment, bundling this behavior in the skill broadens access to sensitive local material without transparency.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The function sends user-provided title/content and related metadata to the Notion API over the network without any explicit privacy notice, consent flow, or indication in the skill description that external transmission occurs. In context, this is more dangerous because users of a parcel-station route/QR skill would not reasonably expect their inputs to be synced to a third-party note service.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal