ClawHub

Houston Transtar Watch

Security checks across malware telemetry and agentic risk

Overview

The traffic-monitoring code looks mostly legitimate, but the installed entrypoint is wired to run an unrelated external placeholder script outside the reviewed package.

Review before installing. The public traffic polling code itself is coherent, but the package should not be trusted as-is until the maintainer removes the placeholder external-script runner, registers the included TranStar watcher directly, aligns the documented script name with the actual code, and declares network, local state, schedule, delivery, and any execution permissions clearly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Adjust the number of ".." based on your folder depth
        script_path = os.path.join(current_dir, "..", "..", "scripts", "your_script.py")
        
        process = subprocess.run(["python", script_path], capture_output=True, text=True)
        return process.stdout
Confidence
94% confidence
Finding
process = subprocess.run(["python", script_path], capture_output=True, text=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares no permissions while its documented behavior includes shell execution and network activity, which creates a transparency and enforcement gap. Undeclared capabilities make it harder for users or a runtime policy engine to assess what the skill can actually do, and can mask higher-risk actions such as executing local scripts or reading/writing state.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill description promises a simple RSS-to-WhatsApp watcher, but the analyzed behavior indicates execution of an external script, local file access, missing actual delivery/scheduling logic, and a mismatch in the registered script path. That discrepancy is dangerous because it prevents meaningful user consent and review; a skill that does more than advertised can conceal unintended or unauthorized actions under an innocuous description.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The implemented behavior does not match the manifest's Houston TranStar RSS monitoring and WhatsApp notification purpose; instead it acts as a generic external-script launcher. Purpose mismatch is dangerous in agent skills because it can conceal unauthorized behavior and bypass user expectations and review processes.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Subprocess execution is unjustified for a traffic-watch/notification skill and substantially expands the attack surface beyond what the declared capability requires. In this context, spawning external code is especially suspicious because the manifest describes a narrow automation task, not arbitrary local code execution.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill explicitly states that incident updates are sent over WhatsApp but provides no user-facing warning or consent language about transmitting monitoring data to an external messaging service. While the feed itself may be public, the fact that a user is monitoring specific incident patterns or routes can reveal location, commuting, or operational interests, especially in a persistent scheduled workflow.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill launches an external script without any user-facing disclosure, consent, or indication that code outside the skill will run. Hidden execution is dangerous in an agent/plugin context because it defeats informed trust decisions and can mask unexpected behaviors or side effects.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal