ClawHub

Rivian Ls

Security checks across malware telemetry and agentic risk

Overview

This skill is a transparent Rivian telemetry helper, but users should treat its vehicle location data and cached Rivian credentials as sensitive.

Install only on a trusted machine. Review and trust the separate rivian-ls CLI before use, avoid putting real passwords or OTPs in shell history, restrict access to ~/.config/rivian-ls/credentials.json, and do not expose dashboard endpoints or logs containing GPS location, VIN, lock state, or door/window status.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly states that Rivian credentials are cached automatically in ~/.config/rivian-ls/credentials.json, but it does not warn users that this file contains sensitive authentication material that could enable vehicle telemetry access if the host is compromised or the file permissions are weak. In this skill context, the risk is elevated because the cached tokens relate to a vehicle account and expose sensitive location and security-status data such as locks, doors, and GPS position.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The authentication examples encourage passing email, password, and OTP directly on the command line and mention local credential caching, but they do not prominently warn that command-line arguments may be exposed via shell history, process listings, logs, or backups. In a telemetry skill that accesses sensitive vehicle location, lock state, and other private data, weak secret-handling guidance increases the risk of account compromise and downstream privacy or physical-security exposure.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script can fetch live Rivian telemetry and prints precise GPS coordinates without any explicit privacy notice, consent gate, or data-minimization control. Vehicle location, lock state, and related telemetry are highly sensitive; exposing them by default in agent workflows can leak whereabouts and behavioral patterns to logs, downstream tools, or unauthorized viewers.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal