ClawHub

TomTom Traffic Commute

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a legitimate TomTom commute helper, but it needs Review because its shell scripts can execute unintended local Python code if crafted input values are used.

Install only if you are comfortable sending precise commute locations and optional departure timing to TomTom, and only use the AgentMail example with trusted input values until the shell scripts are fixed to pass data safely into Python instead of interpolating it into source code.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation instructs users to send precise origin and destination coordinates to TomTom, which can reveal highly sensitive location patterns such as home and workplace addresses. Without a privacy warning or minimization guidance, users may unknowingly disclose personal commuting data to a third party.

External Transmission

Medium
Category
Data Exfiltration
Content
# Optionally send email if AgentMail is configured
if [ -n "$AGENTMAIL_API_KEY" ] && [ -n "$AGENTMAIL_INBOX" ] && [ -n "$COMMUTE_TO" ]; then
  curl -s -X POST "https://api.agentmail.to/v0/inboxes/${AGENTMAIL_INBOX}/messages/send" \
    -H "Authorization: Bearer $AGENTMAIL_API_KEY" \
    -H "Content-Type: application/json" \
    -d "$(python3 -c "
Confidence
95% confidence
Finding
curl -s -X POST "https://api.agentmail.to/v0/inboxes/${AGENTMAIL_INBOX}/messages/send" \ -H "Authorization: Bearer $AGENTMAIL_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
# Optionally send email if AgentMail is configured
if [ -n "$AGENTMAIL_API_KEY" ] && [ -n "$AGENTMAIL_INBOX" ] && [ -n "$COMMUTE_TO" ]; then
  curl -s -X POST "https://api.agentmail.to/v0/inboxes/${AGENTMAIL_INBOX}/messages/send" \
    -H "Authorization: Bearer $AGENTMAIL_API_KEY" \
    -H "Content-Type: application/json" \
    -d "$(python3 -c "
Confidence
95% confidence
Finding
https://api.agentmail.to/

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal