ClawHub

While traveling, try recreating iconic scenes from classic movies in your photos!

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but users should understand it uses and displays location details to produce nearby filming-location recommendations.

Install only if you are comfortable with a location-based skill using IP geolocation, web search, weather lookup, maps, and image generation. Avoid entering a home address or other sensitive precise location unless necessary, and avoid sharing the resulting transcript if it contains exact coordinates. Use the install script's dry-run option or a single explicit platform if you want to preview where files will be written.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly states that the skill auto-detects the user's city via IP geolocation and uses external weather/location lookups, but it does not clearly warn users that their IP-derived location or related query data may be sent to third-party services. In a location-based skill, this omission matters because users may unknowingly disclose sensitive location information, travel patterns, or nearby-position context to external providers.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill directs collection of the user's precise location, including specific landmark/intersection/address details and 6-decimal-place coordinates, without an explicit privacy notice, minimization rationale, or retention policy. Precise location data is highly sensitive and can expose home, workplace, routines, or other private movements if mishandled or displayed.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The logging instructions explicitly include detected coordinates and confirmed user location in visible execution logs. Exposing sensitive location data in logs increases the chance of inadvertent disclosure to users, operators, downstream systems, or any party with log access.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill not only collects precise location data but instructs that it be surfaced in output logs shown to the user, compounding privacy exposure. Publicly echoing exact coordinates and confirmation details can leak sensitive information into transcripts, screenshots, or shared outputs beyond the user's immediate intent.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal