ClawHub

腾讯出行服务打车skills

Security checks across malware telemetry and agentic risk

Overview

This ride-hailing skill is mostly coherent, but it can use a stored account token to book, cancel, and query real rides from broad everyday phrases, with sensitive location data persisted locally and weak confirmation boundaries in shortcut flows.

Install only if you trust the publisher and are comfortable giving the skill a Tencent ride-service token that can be used for real bookings and ride history/order actions. Treat ~/.config/tms-takecar/env.json and the saved address/shortcut files as sensitive, avoid using casual shortcut phrases unless you intend a ride workflow, and confirm pickup, dropoff, price, and vehicle choice before allowing any order creation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill instructs the agent to run local Python scripts, read referenced files, and potentially perform network-backed ride-order operations, but the manifest declares no permissions. This creates a capability/authorization mismatch: an agent or platform may execute sensitive actions without clear consent, review, or sandbox policy, increasing the risk of file, environment, or network abuse if the skill or its dependencies are modified.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The contract explicitly states that the script parses a raw `longitude,latitude` location string and then assigns the first segment to `latitude` and the second to `longitude`, which reverses the coordinates. In a ride-hailing context this can misrepresent driver location, causing users to go to the wrong place, make unsafe pickup decisions, or miss a vehicle during an active trip.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The workflow instructs the agent to help install Python on the user's machine, which exceeds the narrowly stated purpose of a ride-hailing assistant. Expanding into local software installation increases the attack surface and normalizes privileged system changes unrelated to booking rides, making abuse or unsafe operator behavior more likely.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill requires reading and acting on local credential/config data from ~/.config/tms-takecar/env.json, including a token and resident city. For a ride-calling assistant, direct management of local sensitive configuration is broader than the user-facing purpose and creates risk of credential exposure, misuse, or unintended persistence on disk.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The workflow explicitly allows a 'necessary memory.md update' during the atomic write path, but later states that memory.md must no longer store address and shortcut-ride content. That unjustified extra write expands the persistence surface beyond the ride-hailing purpose and can cause unintended storage of user travel data in a secondary file, increasing privacy and consistency risk.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The document contradicts itself by permitting memory.md updates in the write sequence while later declaring that memory.md no longer stores address and shortcut-call data. Security-relevant contradictions in data-handling rules are dangerous because implementations may choose the broader interpretation, leading to unauthorized retention, privacy leakage, or desynchronized state across files.

Description-Behavior Mismatch

Low
Confidence
86% confidence
Finding
The workflow instructs the agent to delete the existing state file at the start of a ride flow without any user notice or confirmation. Even if intended as session hygiene, this is still a state-destructive action that can erase active workflow context or in-progress order data and may interfere with order handling or auditability.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The workflow permits silent order creation when no car-type preference exists, removing an explicit user confirmation step before a real-world transactional action. In a ride-hailing context, this can cause unauthorized bookings, financial charges, and privacy exposure through unintended dispatch to pickup/dropoff locations.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger conditions are extremely broad, including generic travel phrases like '去[地点]', '回家', '上班', and '下班', and even say the skill should trigger when the user does not explicitly mention ride-hailing. This can cause accidental invocation during ordinary conversation, leading to unintended access to location, order, or account workflows and increasing the chance of unwanted transactional actions.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The contract instructs the skill to persist an authentication token in `~/.config/tms-takecar/env.json` but provides no warning about plaintext credential handling, file permissions, logging hygiene, or user consent. In a skill that can create, query, and cancel ride orders, theft of that token could enable unauthorized access to ride history and account actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The token management steps tell the agent to delete and replace a sensitive token without any warning about credential sensitivity, confirmation of destructive actions, or explanation of the consequences. This makes accidental account disruption or credential mishandling more likely, especially because the token appears to grant access to ride-service functionality.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The shortcut trigger phrases are broad everyday expressions such as '回家' or '上班', which can be used in non-transactional conversation. In a skill that can create actual ride orders, over-broad activation increases the chance of accidental entry into a booking flow and compounds the danger of later automatic actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Deleting the state file without warning or confirmation is a risky state-management practice because users are not informed that prior ride context may be discarded. While the direct impact is limited to workflow state, it can still disrupt active sessions, hide prior context, and make unintended order handling harder to recover from.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The create-order flow directly submits a ride-booking request using persisted state without any explicit in-file confirmation gate, dry-run mode, or user-acknowledgment step. Because ordering a car is a real-world, safety- and cost-impacting action, accidental or prompt-injected invocation can trigger unwanted bookings, charges, location disclosure, and physical dispatch to the user's location.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal