ClawHub

Cliento Booker

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Cliento appointment-booking helper, but users should be deliberate about real bookings, calendar access, and saved contact details.

Install only if you want an agent to help make real Cliento appointments. Use trusted Cliento booking URLs, review the service, provider, time, price, and contact details before confirmation, decline calendar access unless you want conflict checking, and only save personal details in USER.md if you are comfortable with local reuse.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to store the user's first name, last name, phone number, and email in `USER.md` for future use, but the top-level description does not warn that personal contact details may be permanently saved locally. This creates a privacy and consent risk because users may invoke a booking skill without realizing their PII could be persisted beyond the immediate transaction.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The workflow includes optional calendar cross-referencing to read the user's schedule and filter appointment slots, but the skill description does not clearly disclose that calendar data may be accessed and processed. Even if conditional on tool availability, this is sensitive behavioral data and should be transparently communicated before use.

Missing User Warnings

Low
Confidence
95% confidence
Finding
The register command fetches an arbitrary user-supplied URL and returns raw HTML to the agent, creating an SSRF-style primitive that can be used to access internal services, cloud metadata endpoints, or other unintended network locations from the execution environment. Because the fetched content is printed verbatim for agent parsing, it can also expose sensitive internal data and feed adversarial prompt content back into downstream processing.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal