ClawHub

Discover Events in Any City

Security checks across malware telemetry and agentic risk

Overview

This is a clearly scoped Outgoing event-search and ticket-booking skill that sends user search and booking details to Outgoing as part of its stated function.

Before installing, make sure users are comfortable sending event-search text, city or optional precise location, and a service-specific user identifier to Outgoing. Use pseudonymous external user IDs where possible, avoid unnecessary sensitive details in prompts, and only provide real payment tokens after explicit confirmation of the booking and total cost.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to provision users and send an `external_user_id` plus the user's natural-language query to a third-party API, but it does not include any explicit privacy notice, consent requirement, or guidance on minimizing personal data in prompts. Because date-night queries can contain sensitive relationship, location, timing, and preference information, this creates a real privacy and data-sharing risk even if the transmission is part of normal functionality.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to provision users and send an external user identifier to a third-party API, but it does not disclose that user-linked data is transmitted off-platform. In a natural-language search flow, user prompts may also contain location, preferences, and social context, so the omission creates a real privacy and consent risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to send an end user's persistent external identifier to a third-party API on every request, but it provides no guidance to obtain user consent, minimize the identifier, or disclose that this data is being shared externally. Because this skill is specifically about social activities and meeting new people, the searches may reveal sensitive behavioral preferences, making silent linkage of requests to a stable user ID a meaningful privacy risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs sending natural-language trip queries and potentially precise location context such as hotel area or lat/lng to an external API, but it does not include a clear user-facing disclosure or consent boundary. This can cause users to unknowingly share sensitive travel plans and location data with a third party, increasing privacy and profiling risk.

External Transmission

Medium
Category
Data Exfiltration
Content
### Search

```bash
curl -sS -G https://api.outgoing.world/partner/v1/search \
  -H "Authorization: Bearer $OUTGOING_API_KEY" \
  -H "X-External-User-Id: user-123" \
  --data-urlencode "prompt=romantic first-date dinner this Friday" \
Confidence
82% confidence
Finding
https://api.outgoing.world/

External Transmission

Medium
Category
Data Exfiltration
Content
### Search

```bash
curl -sS -G https://api.outgoing.world/partner/v1/search \
  -H "Authorization: Bearer $OUTGOING_API_KEY" \
  -H "X-External-User-Id: user-123" \
  --data-urlencode "prompt=social events and beginner classes to meet new people this week" \
Confidence
88% confidence
Finding
https://api.outgoing.world/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal