ClawHub

nanyuu

Security checks across malware telemetry and agentic risk

Overview

This skill appears designed to process ride receipts, but it handles raw Gmail receipt data and sends it to a local service with too little disclosure and control.

Install only if you are comfortable granting the skill access to ride-receipt emails and storing raw exported receipt data locally. Prefer reviewing or modifying it to minimize stored fields, confirm before sending data to the Gateway, and delete exported JSON files after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill performs sensitive operations including shell execution, Gmail access via a CLI, local file read/write, environment variable use, and HTTP requests to a local Gateway, but it does not declare corresponding permissions. Missing permission declarations weaken user consent and platform enforcement because a reviewer or runtime may not understand that the skill can access financial/location email data, persist raw receipts, and transmit them to a service endpoint. The local-only restriction reduces remote exfiltration risk, but the capability gap is still real because the skill handles highly sensitive data and relies on network and shell access.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script sends full ride receipt email content, including potentially sensitive location, payment, and identity data, to another service without any runtime disclosure or explicit user confirmation in this code path. Even though the destination is constrained to loopback, local services may still log, retain, or further process this data, creating a meaningful privacy and data-handling risk in a skill built around personal ride history.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script intentionally extracts and stores raw ride-receipt email content, including HTML, subject, sender, snippets, and message IDs, into a local JSON file. In this skill's context, that data is highly sensitive and may contain names, addresses, timestamps, fare details, and travel patterns; persisting it without explicit minimization, consent warning, access controls, or retention safeguards increases privacy and data-exposure risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal