ClawHub

SRT

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real SRT booking helper, but its monitoring mode can post reservation details to Discord and its stop command can terminate any process named by a user-writable PID file.

Install only if you are comfortable giving the skill SRT account credentials and letting it manage real reservations. Use private Discord channels, avoid sharing reservation IDs unless necessary, keep logs and PID files in a private directory, set short monitoring timeouts, and verify train or reservation details before booking, cancelling, or stopping a process.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The continuous monitoring flow instructs the agent to send status updates and reservation details to Discord via the message tool, extending the skill beyond core train booking into external data exfiltration. Even if intended for user convenience, this can disclose reservation identifiers, seat assignments, and operational state to third-party channels or wrong recipients.

Intent-Code Divergence

Medium
Confidence
80% confidence
Finding
The documentation claims runtime path validation for SRT_DATA_DIR and --log-file, but the file provides no verifiable enforcement and asks users to supply arbitrary paths. If the implementation does not actually constrain these paths, the skill could write logs, PID files, or cached data to unintended locations, enabling file overwrite or sensitive data exposure.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The status/stop helpers read a PID from a file supplied by args.pid_file and then call os.kill(pid, 0) or os.kill(pid, SIGTERM) without verifying that the PID belongs to this skill's own background retry process. That lets a caller with access to the command influence checks or termination of arbitrary local processes the current user is permitted to signal, which exceeds the intended train-booking scope and creates a local denial-of-service/control primitive.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill exposes reservation and cancellation actions tied to a real SRT account without clearly warning that these operations have real-world consequences. Users may trigger bookings or cancellations affecting travel plans and potentially incurring payment obligations or loss of reservations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The monitoring flow directs the agent to send reservation outcomes, including booking identifiers and seat information, to Discord without a clear privacy notice or consent checkpoint. This increases the risk of leaking personally associated travel data to external systems or unintended channels.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal