ClawHub

VIN (Vehicle Identification Number) Query - VIN车辆识别代码查询

Security checks across malware telemetry and agentic risk

Overview

This skill performs the advertised VIN and vehicle-detail lookups through JisuAPI, with privacy considerations but no evidence of hidden or harmful behavior.

Install only if you are comfortable sending queried VINs or vehicle model IDs to JisuAPI. Use a dedicated JISU_API_KEY with quota limits, avoid using the skill for sensitive fleet or personal vehicle data without permission, and ensure the Python requests package comes from a trusted environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger description is broad enough that the skill may activate on loosely related requests about vehicle details, causing unnecessary transmission of user-provided VINs to a third-party service. In this context, VINs can be sensitive identifiers, so over-broad routing increases privacy and data-handling risk even if the skill's purpose is legitimate.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation clearly indicates the skill sends VIN data to JisuAPI, but it does not disclose this data-sharing behavior to end users or prompt for consent. Because a VIN is a unique vehicle identifier that may be linked to an individual or asset, silent third-party transmission creates a meaningful privacy risk in this skill's operating context.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill sends a full VIN and the API key to a third-party service without any user-facing disclosure or consent mechanism. VINs can be sensitive identifiers tied to a specific vehicle and sometimes an individual, so transmitting them off-platform creates a privacy and data-governance risk even though the transport uses HTTPS.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The oil and gearbox lookup functions also transmit user-derived vehicle identifiers (carid) to the same external service without explicit disclosure. While carid is generally less sensitive than a raw VIN, these calls still expose user query context to a third party and may surprise users who expect local-only processing.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal