ClawHub

租车自驾行前助手:准备清单 + 各国注意事项 + 经典路线

Security checks across malware telemetry and agentic risk

Overview

This is a travel-planning skill that generates a rental-car checklist and route HTML page without requesting system access, credentials, or background execution.

Safe to install for generating rental-car trip planning pages. Treat its legal, insurance, road-rule, emergency-number, and route guidance as planning help only, and verify official rules, rental contracts, insurance terms, and current road conditions before relying on it. Avoid entering sensitive personal data such as full passport, driver license, or credit card numbers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger list is very broad and based on common travel phrases, so this skill may activate in loosely related conversations and take over responses unexpectedly. That increases the chance of misrouting user intent, generating irrelevant HTML output, or suppressing a more appropriate skill, especially in multi-skill environments where routing precision matters.

Natural-Language Policy Violations

Medium
Confidence
76% confidence
Finding
The skill content is written to produce Chinese-language output without any user-language negotiation or documented reason, which can cause unsafe or unusable responses for users expecting another language. In a travel/compliance context, language mismatch can reduce comprehension of legal and safety guidance, increasing the risk that important instructions are misunderstood.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal