ClawHub
Back to skill

Security audit

License Plate Reader

Security checks across malware telemetry and agentic risk

Overview

This skill sends a user-selected image to TrafficEye to read a license plate, which is disclosed and aligned with its purpose, but users should treat the images as privacy-sensitive.

Install only if you are comfortable sending chosen vehicle images and plate data to TrafficEye or the configured compatible endpoint. Avoid using it on images that include sensitive people, locations, or business context unless you have permission, and keep the API URL and API key settings scoped to a service you trust.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill asks for a local image path and uploads that image to a third-party API, but the user-facing description does not clearly warn that local files leave the system for external processing. Because license plate images often contain personal data and contextual scene information, this omission creates a meaningful privacy and consent risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script sends local image files to a third-party service by default, but its CLI description and output do not clearly warn the user that image contents leave the local system. Because license-plate images can contain personal data and contextual scene information, this can cause unintended data disclosure, especially when the tool is invoked indirectly by an agent or automation rather than a fully informed human.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal