ClawHub

Package Track

Security checks across malware telemetry and agentic risk

Overview

This appears to be a courier-tracking skill that discloses its external API use, with privacy considerations around tracking numbers and optional phone verification data.

Install only if you are comfortable sending package tracking numbers, carrier identifiers, and for some carriers limited verification data such as the last four digits of a phone number to Kdniao. Confirm the skill or platform clearly exposes its network/API requirement before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises and relies on outbound network access to a third-party courier API, but does not declare permissions accordingly. This creates a transparency and policy-enforcement gap: users or the hosting platform may invoke the skill without realizing it can transmit package identifiers and potentially customer verification data off-box.

External Transmission

Medium
Category
Data Exfiltration
Content
## Provider: 快递鸟 (Kdniao)

- **即时查询** RequestType: `1002`
- **Endpoint**: `https://api.kdniao.com/Ebusiness/EbusinessOrderHandle.aspx`
- **RequestData** (JSON): `ShipperCode`, `LogisticCode`, optional `OrderCode`, optional `CustomerName` (required for 顺丰 SF: last 4 digits of phone)
- **Sign**: `RequestData` (unencoded JSON, no spaces) + ApiKey → MD5 → Base64 → URL-encode
Confidence
82% confidence
Finding
https://api.kdniao.com/

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal