ClawHub

Base Station / Cell Query - 基站查询

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward cell-tower lookup skill that sends user-provided tower identifiers to JisuAPI to return an approximate location.

Before installing, be comfortable sharing queried base-station identifiers with JisuAPI and using your JISU_API_KEY for those requests. Treat both submitted tower data and returned locations as privacy-sensitive, and confirm your Python environment has the requests package if execution fails.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill requires an API key from the environment and explicitly calls an external third-party service, but the skill file does not declare permissions in a way that clearly exposes those capabilities to the platform/user. This creates a transparency and governance gap: users or orchestrators may not realize the skill will access secrets and transmit query data over the network, increasing the risk of unintended data disclosure or policy bypass.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This skill processes base-station parameters that can reveal a device's approximate physical location and sends them to a third-party API, but the description does not warn users about that external disclosure. Because the data is location-related and potentially sensitive, lack of notice and consent can lead to privacy harm, misuse, or noncompliance with internal data-handling expectations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal