ClawHub

Roadbook Csv 1.0.0

Security checks across malware telemetry and agentic risk

Overview

The skill does what it advertises: it sends travel CSV data to Cyeam to create a shareable roadbook link, with privacy considerations but no hidden code or unrelated access found.

Install only if you are comfortable sending trip names, addresses, dates, lodging stops, and notes to Cyeam services to create a shareable link. Avoid sensitive home addresses, confidential travel plans, or private notes unless you are comfortable with temporary external storage and link-based sharing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill’s usage example and scope are broad enough that it may activate on ordinary travel-planning requests and automatically transform user itinerary details into a third-party API call. This creates a data-handling and consent risk because users may think they are only asking for planning help, not for their travel data to be uploaded and published as a shareable roadbook.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to check for an API key and call the external service, but it does not require a clear user-facing notice that itinerary contents, addresses, dates, and notes will be sent to a third-party service and stored remotely. Given the skill explicitly states data is stored in Redis for 30 days and exposed via a share link, the lack of a prominent privacy/consent step materially increases privacy risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal