MTA Commuter

Security checks across malware telemetry and agentic risk

Overview

This is a coherent MTA transit skill, but users should understand it can save home/work locations locally and create optional track-watch cron jobs.

Install only if you are comfortable with saved places such as home and work being stored locally in data/locations.json and with user-provided addresses being geocoded through the agent's web/geocoding path. Use track watch only when you intentionally want a temporary cron poller and know how to remove it if the train is canceled or the watch is no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (10)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The manifest describes transit lookup features but omits that the skill persistently stores sensitive home/work location data in a local JSON file and guides the agent to collect that data during setup. This is dangerous because users may disclose precise addresses without understanding they will be retained, creating privacy and retention risks beyond a simple schedule lookup tool.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The manifest does not disclose that the skill can create cron-based background monitoring jobs and send outbound notifications for track watches. Hidden background execution is risky because it extends the skill from on-demand trip lookup into persistent automation that may continue running and messaging after the user interaction ends.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The instructions tell the agent to geocode user addresses via general web search, which introduces an undeclared external data flow for sensitive location data. Sending home/work addresses to arbitrary web services or search providers can expose personal information to third parties and exceeds the expected scope of a local transit lookup skill unless clearly disclosed and controlled.

Context-Inappropriate Capability

High

Confidence: 88% confidence
Finding: The track-watch workflow directs the agent to invoke background scheduler commands through shell execution, creating ongoing tasks beyond the core real-time transit lookup function. This is more dangerous in context because it combines shell access, persistence, polling, and outbound notifications, which materially increases the blast radius if misused or if command parameters are not tightly controlled.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill writes user-defined locations, including addresses and coordinates, to a persistent JSON file even though the described capability is transit lookup and trip planning rather than long-term storage of personal places. Persisting home/work-style locations creates unnecessary retention of sensitive location data, increasing privacy risk if the host is shared, compromised, or logs/backups are later accessed.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The README explicitly says the skill is triggered by broad natural-language intent rather than narrow commands, which increases the chance of over-activation on loosely related requests. In an agent setting, that can cause unintended tool use, unnecessary data access, or unexpected side effects such as trip planning or follow-on actions when the user did not clearly consent.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README encourages saving home, office, and other common locations but does not clearly warn that these are persistent, potentially sensitive addresses stored locally. Home/work addresses are high-value personal data, and users may disclose them without understanding retention, visibility, or deletion behavior.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The track-watch feature creates an `openclaw cron` job that polls every 20 seconds, but the README frames it as a simple notification without clearly warning that a recurring scheduled task will be created. Hidden or under-disclosed automation can surprise users, consume resources, and create persistence that outlasts the immediate request.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The trigger list includes broad phrases like 'commute,' 'alternatives,' and 'get me to,' which can activate the skill in contexts not clearly about MTA rail transit. Over-broad triggering is risky because it can route unrelated conversations into a skill that stores locations, uses web geocoding, or sets up monitoring, leading to unexpected handling of user data.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to store users' home and work addresses in a local JSON file without an explicit privacy warning, retention notice, or consent flow. In context, these are highly sensitive location records tied to routine movement patterns, so silent storage raises meaningful privacy and safety concerns even if the feature is intended for convenience.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal