ClawHub

EPC Query For Auto Parts - 汽车配件EPC查询

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a purpose-aligned EPC parts lookup that sends user-supplied vehicle data to an external API, with privacy caveats users should understand.

Install only if you are comfortable sending vehicle identifiers, including VINs, to the JisuAPI service. Avoid using real private or fleet VINs unless the user explicitly wants an external EPC lookup and understands that the VIN will leave the local environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger description uses broad language like 'or similar EPC parts questions,' which can cause the skill to activate for loosely related queries. Over-broad activation is dangerous here because the skill can access an API key and may send vehicle data, including VINs, to a third party when the user did not clearly intend that workflow.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation encourages VIN queries without warning that VINs are sensitive vehicle identifiers and will be transmitted to an external service. This undermines informed consent and can expose personal, fleet, ownership, or service-linked vehicle data to a third party, especially if users paste real VINs from private vehicles.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The vin() function forwards a user-provided VIN to a third-party EPC service, which is an external transmission of potentially sensitive vehicle-identifying data. While this is core to the skill's purpose and not inherently malicious, the lack of an explicit warning, consent flow, or data-handling notice means users may unknowingly disclose sensitive information to an external provider.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal