ClawHub

TomTom Traffic Intelligence

Security checks across malware telemetry and agentic risk

Overview

This TomTom traffic helper appears to do what it says, with expected API-key and location sharing for route lookups.

Install this only if you want TomTom-based traffic planning. Use a dedicated TomTom API key with quota limits, review or edit the default home/work/coffee coordinates before use, and remember that route locations will be sent to TomTom when commands run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation indicates use of environment variables and outbound network access to the TomTom API, but no explicit permissions are declared in the skill metadata. This creates a transparency and governance gap: users or hosting systems may invoke a skill with capabilities they did not clearly authorize, increasing the risk of unintended secret access or external data exfiltration if the implementation changes or is abused.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The read_when conditions are broad enough to match normal conversation about traffic, commute times, departure planning, or meeting alerts, which can cause the skill to activate in contexts the user did not explicitly intend. Because the skill uses network access and location-oriented routing logic, over-broad invocation increases the chance of unnecessary external API calls, accidental disclosure of contextual information, or confusing agent behavior.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal