ClawHub

Local Places

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says overall, but users should review it because some bundled instructions and configuration can expose location queries or the Google API key beyond the intended localhost-only use.

Before installing, run the server only with the 127.0.0.1 command from SKILL.md, avoid the 0.0.0.0 README command unless you intentionally want network exposure and have added controls, confirm GOOGLE_PLACES_BASE_URL is unset or points only to a trusted Google endpoint, and use the skill only for location searches you are comfortable sending to Google Places. Keep the Google API key private and consider removing raw request-body logging before regular use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill requires access to environment variables and network communication, but these capabilities are not explicitly declared as permissions. This creates a transparency and governance gap: users and hosting systems may not realize the skill can access sensitive configuration like API keys and make outbound requests. In a security review context, undeclared capabilities are risky because they can hide data access and exfiltration paths.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill claims to use a localhost Google Places proxy, but the detected behavior indicates it also resolves locations, fetches place details, and may contact the external Google Places API directly. This mismatch undermines informed consent and trust boundaries, because users may believe data stays local when it is actually transmitted externally. Security-wise, description/behavior mismatches are dangerous because they conceal actual data flows and broaden exposure of user queries and location data.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The validation exception handler logs the full request body (`exc.body`) and detailed validation errors for any malformed request. This can capture user-supplied sensitive data and place it into application logs, expanding data exposure beyond the skill's stated purpose of brokering place lookups and creating unnecessary retention and access risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill does not warn users that their location queries, coordinates, and place-search terms may be transmitted to a Google-backed service. Location data is sensitive, and even ordinary place searches can reveal home/work areas, habits, religion, health interests, or travel plans. The omission reduces user awareness and consent around third-party data sharing.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The handler records full request contents and validation details without any indication of user consent or disclosure, which can result in collection of excess data from failed requests. In a localhost proxy skill, users may still send location queries or identifiers that should not be broadly logged, so this behavior increases privacy and compliance risk if logs are accessible to operators or other local users.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal