ClawHub

Transition MCP

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Transition fitness-coaching integration whose data access and API calls match its stated purpose, though users should treat the fitness and chat data as sensitive.

Install only if you trust Transition with your API key and fitness/coaching data. Be cautious about sharing unnecessary medical details in coach chat, and confirm before allowing actions that adapt your training plan or push workouts to Garmin.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill invokes shell-style commands and relies on environment variables for authentication, but it does not declare permissions reflecting those capabilities. This creates a transparency and consent gap: users and hosting platforms may not realize the skill can access secrets and initiate outbound requests, increasing the risk of unintended secret exposure or over-privileged execution.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill description does not clearly warn users that authenticated calls send sensitive fitness, health-adjacent, profile, schedule, and chat data to an external service. Without an explicit disclosure, users may unknowingly authorize transmission of personal training data off-platform, which is a material privacy and consent issue.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill exposes state-changing actions such as workout generation, plan adaptation, and Garmin push without a clear warning that these operations can modify a user's training plan or affect connected third-party services. This can lead to unintended changes to schedules, recommendations, and external device ecosystems if triggered without informed user confirmation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal