ClawHub

Recreation Information Database Search

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims: search recreation.gov RIDB data, with expected external location/API lookups.

Before installing, confirm you are comfortable sending entered locations or coordinates to OpenStreetMap Nominatim for geocoding and to recreation.gov RIDB for facility lookup. Avoid using sensitive private locations if that matters to your threat model.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README states that geocoding uses OpenStreetMap Nominatim and RIDB queries are sent to ridb.recreation.gov, but it does not clearly warn users that their entered locations or coordinates will be transmitted to third-party services. This can expose sensitive travel plans, precise locations, or operational context if users assume searches are local-only, making it a real privacy and data-handling issue rather than a false positive.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal