ClawHub

Groundapi Context Aware

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed GroundAPI daily-assistant skill; its main consideration is privacy around third-party lookups, not hidden or destructive behavior.

Install only if you trust GroundAPI with API-backed requests. Provide an explicit city when possible to avoid IP-based location inference, and avoid entering shipment numbers or phone verification digits unless you are comfortable sending them to the configured GroundAPI service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill is configured to auto-trigger on very broad, everyday phrases such as greetings and general questions, which can cause it to activate without clear user intent. In this skill, unintended activation is more risky because it chains multiple tools and may automatically infer location via IP and fetch news, traffic, and other contextual data the user did not explicitly request.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to call life_ip() automatically when the user does not specify a city, but it does not warn the user or obtain consent before inferring approximate location from IP. This creates a privacy issue because a seemingly simple weather request can silently trigger geolocation and downstream context enrichment.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The package-tracking flow handles shipment identifiers and may request the recipient's phone last four digits, but the skill provides no privacy warning or data-minimization guidance. Because logistics numbers and phone fragments are sensitive personal data, automatic handling without clear notice increases the risk of exposing delivery status or linking a person to a shipment.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal