ClawHub

Car Negotiator

Security checks across malware telemetry and agentic risk

Overview

This is a transparent car-shopping helper that researches public pricing, runs a simple local calculator, and drafts negotiation text without hidden account access or automatic purchases.

Before installing, understand that the skill may search public car-pricing sites using vehicle and location details you provide and may run its local Python calculator. Confirm your state, taxes, rebates, residuals, money factor, and final dealer terms before relying on its output, and only send generated emails or proceed with a purchase when you explicitly choose to.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill description includes broad activation examples such as "negotiate [car]", "lease [model]", and "best price [vehicle]", which can overlap with ordinary user requests and cause the skill to trigger unexpectedly. Over-broad triggering increases the chance of unintended invocation, routing users into a persuasive negotiation workflow without explicit consent and potentially causing confusion or inappropriate tool usage.

Natural-Language Policy Violations

Low
Confidence
83% confidence
Finding
The description states "ET/US default," which imposes a regional and timezone assumption without confirming the user's location. In a car pricing and tax context, defaulting to a specific locale can produce inaccurate taxes, fees, incentives, timing assumptions, or negotiation guidance, which may mislead users or generate incorrect calculations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal