ClawHub

car-search

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent used-car search assistant, but it relies on automated scraping-style access and keeps a local cache of the last search.

Install only if you are comfortable with a tool that queries third-party car-listing sites using browser-like scraping behavior. Avoid high-volume use, avoid debug or trace logs in shared environments, and delete ~/.config/car-cli/last_search.json if you do not want recent search results retained locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill instructs the agent to run local commands (`uv run`, `uv sync`), write exported files, and make network requests to multiple external car platforms, but the skill declares no permissions or trust boundaries. That mismatch is dangerous because it can lead to unexpected tool use, outbound data access, environment interaction, and file creation without explicit review or least-privilege controls.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The client is deliberately engineered to mimic a real browser and reduce detection, as indicated by the anti-detection docstring, browser fingerprint-like headers, jitter, burst-aware pacing, and adaptive slowdown on 429 responses. In a used-car aggregation skill, this goes beyond normal resiliency and strongly suggests evasion of platform anti-bot controls or scraping defenses, which increases the likelihood of unauthorized collection and abuse.

Description-Behavior Mismatch

Low
Confidence
86% confidence
Finding
The search command silently persists full search results to local disk even though its stated purpose is only search and comparison. This creates an unexpected data-retention behavior that can expose potentially sensitive user interests, locations, or pricing data to other local users, backup systems, or later commands without the user's awareness.

Vague Triggers

High
Confidence
95% confidence
Finding
The description says the skill should be triggered even when the user does not explicitly mention used cars, including broad scenarios like discussing resale value or wanting a cost-effective car. This overbroad activation can cause unintended invocation, leading the agent to perform network searches and recommendations in contexts where the user did not ask for this skill, increasing privacy, autonomy, and misrouting risks.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly documents a debug mode that outputs full request URLs and HTTP traffic logs. In this skill's context, the client handles session initialization, CSRF tokens, JWT cookies, and anti-bot/cookie challenges for multiple platforms, so verbose logging can expose sensitive session identifiers, query history, and other request metadata if users paste logs into tickets, terminals are shared, or logs are persisted.

Natural-Language Policy Violations

Medium
Confidence
86% confidence
Finding
The code hard-codes "Accept-Language: zh-CN,zh;q=0.9,en;q=0.8" for all requests, forcing a Chinese-preferred locale without user consent or service-specific need. This can leak assumptions about geography, affect returned content or pricing, and combine with the spoofed browser headers to misrepresent the client context to third-party sites.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Search results are cached to disk without any user-facing warning, creating hidden persistence of user activity. In the context of a car-shopping skill, the data can reveal user location, budget, preferences, and potentially sensitive financial intent; this is more dangerous because the skill is presented as advisory/search functionality rather than local storage behavior.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal