ClawHub

LovTrip Meetup Planner

Security checks across malware telemetry and agentic risk

Overview

This meetup-planning skill is coherent and purpose-aligned, but users should handle participant location and schedule details carefully.

Install only if you are comfortable using LovTrip/AMap-backed planning tools. Share coarse locations when possible, avoid home/work exact coordinates unless necessary, get participant consent before processing or sharing their details, use a restricted AMap API key, and verify or pin the npm package instead of relying blindly on `@latest`.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill description is broad enough to trigger in ambiguous situations involving meetup, dating, or location optimization without clearly stating what data should or should not be handled. In this context, that increases the chance the agent will collect or process sensitive participant location and schedule data when a more privacy-scoped or domain-limited skill should be used.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The description does not warn that the skill processes participants' locations, time availability, and potentially interest data, all of which are sensitive personal information. Without an upfront warning and consent-oriented guidance, users or upstream agents may provide more personal data than necessary, creating avoidable privacy and safety risks.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The example shares multiple participants' location information, including precise coordinates, with external mapping and weather-related functions without any visible consent, minimization, or privacy notice. In a meetup-planning context this is sensitive personal data about several people, and normalizing such transmission can lead to over-collection, unintended disclosure, or misuse of third-party location data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow generates external map links from exact member coordinates, which can expose precise locations of multiple individuals to third parties or anyone with access to the generated links. Because this is a social-planning skill involving real people, sharing exact coordinates is more dangerous than generic venue routing and creates unnecessary privacy and stalking risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The reference documents handling of sensitive personal data such as attendee names, precise locations, schedules, and calendar export fields, but provides no privacy notice, minimization guidance, or consent expectations. In a meetup-planning skill, these fields can reveal social relationships, routines, and real-world presence, increasing privacy and stalking risks if logged, retained, shared, or exported without user awareness.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal