ClawHub

Ski Assistant

Security checks across malware telemetry and agentic risk

Overview

This ski assistant uses local files, web searches, and optional reminders for ski planning, but the reviewed behavior is disclosed, ski-related, and not deceptive.

Install only if you are comfortable with a ski assistant keeping local profile, trip, watchlist, and coaching-history files under ~/.ski-assistant and using live web/API lookups for prices, weather, currency, and resort data. Use scheduled reminders or IM notifications only after confirming the destination, dates, channel, and how to cancel them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (32)

Description-Behavior Mismatch

Low
Confidence
72% confidence
Finding
Updating the local resort database goes beyond passive assistance/analysis into persistent state modification. In this context, silent or loosely controlled data updates are risky because they can alter future recommendations, introduce poisoned data from network sources, or change local files unexpectedly.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The module requires persistent reads and writes to files under the user's home directory for coaching records and profile/history management, even though the skill is framed as a ski coaching assistant rather than a local data-management tool. This creates unnecessary privacy and integrity risk because sensitive behavioral data is stored locally without explicit consent, retention limits, or clear boundaries on what may be accessed or modified.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill instructs the agent to execute a local Python command and even suggests installing a dependency, which expands the skill from content generation into local code execution. That is dangerous because it can trigger arbitrary changes to the user's environment, create supply-chain exposure through package installation, and exceed the expected trust boundary of a ski assistant.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The module instructs the agent to pull a database file from GitHub and overwrite a local copy, which is a state-changing maintenance action outside a normal end-user ski assistant role. If triggered unintentionally or by a malicious prompt, this could replace trusted local data with unreviewed remote content and alter future assistant behavior or recommendations.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The discovery flow allows the agent to discover new resorts from external sources and optionally merge them into a persistent database, expanding the skill from read-only assistance into data mutation. This is risky because external data may be incomplete, incorrect, or adversarially poisoned, and merged entries can persist across sessions and affect later outputs.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The module instructs the agent to create cron-style scheduled reminders and send messages to an IM session, which expands behavior from a conversational ski assistant into persistent background task execution and outbound messaging. That increases the attack surface for unwanted notifications, unauthorized task creation, and user surprise, especially because these capabilities are not clearly declared in the skill metadata.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The module persistently stores trip details in local files under ~/.ski-assistant, including destination and travel dates, but the manifest does not disclose this storage behavior. Hidden persistence is a security and privacy issue because users may reveal sensitive itinerary data without informed consent, and the stored files may later be accessed, reused, or retained longer than expected.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
This module extends beyond one-shot ski advice into persistent user-specific tracking by storing a watchlist and maintaining status/history in local files. Even if framed as user-requested monitoring, it introduces stateful data retention and notification behavior that expands the skill’s operational scope and increases privacy and misuse risk.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Allowing cron-based scheduled checks creates autonomous behavior not necessary for basic resort advice and can cause ongoing monitoring without repeated user action. This increases the chance of surprise background activity, repeated external queries, and collection or processing beyond the user’s immediate request.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The use of IM notification channels adds outbound messaging capability that is not clearly covered by the skill description. That creates a risk of unsolicited notifications, cross-channel data exposure, and user surprise if resort interests or timing data are sent to external messaging systems.

Intent-Code Divergence

Medium
Confidence
85% confidence
Finding
The documentation says the mechanism is 'pure passive' but later permits cron-based scheduled checks, which is a material contradiction about behavior. Such inconsistencies are dangerous because users and reviewers may underestimate background activity and consent implications.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The module explicitly instructs the agent to search flights and hotels, which expands behavior from a ski-resort assistant into broader travel planning. This is dangerous because it increases scope beyond the declared 'Not for: non-ski travel' boundary, making misfires and user confusion more likely and potentially causing the agent to handle unrelated travel requests it was not intended or reviewed to support.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The module instructs the agent to read a persistent file from the user's home directory (`~/.ski-assistant/user_profile.json`) before collecting needed trip-planning inputs. That is a privacy-sensitive local data access path not clearly disclosed in the skill metadata, and it can expose previously stored personal attributes without fresh user consent or clear necessity for the current request.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The module directs execution of local Python tools (`tools/price_api.py` and `tools/exchange_rate.py`) to fetch prices and currency data, but those execution capabilities are not declared in the stated skill scope. Undisclosed tool execution increases attack surface because the agent may run local code or invoke external services based on user requests without transparent permissioning or clear safety boundaries.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The document explicitly instructs the agent to append every coaching result to a local file, including resort, run name, media path, dates, skill scores, and longitudinal history fields. That expands behavior from transient coaching into persistent user profiling without any stated consent, retention policy, or minimization controls, creating privacy and scope-creep risk if the host environment stores sensitive activity and media metadata by default.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The module docstring asserts that output is only written under ~/.ski-assistant/exports/, but the actual path is derived from the SKI_ASSISTANT_DATA_DIR environment variable. In environments where an attacker can influence environment variables or where operators rely on the safety claim, the tool may write files to unexpected filesystem locations, creating a documentation-to-behavior mismatch that can weaken trust boundaries and operational safeguards.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The module exposes flight and hotel search capabilities even though the skill metadata says it is not for non-ski travel. This scope expansion increases data-sharing and action surface beyond user expectations, creating a policy and privacy risk because a ski assistant can silently become a general travel brokerage bridge.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
This code creates a subprocess bridge to an external travel-search CLI, enabling networked access to third-party services that are not clearly necessary for the declared ski-assistant scope. In context, that broadens the system's external interaction surface and can transmit user itinerary data to outside services without a clear least-privilege justification.

Intent-Code Divergence

Medium
Confidence
80% confidence
Finding
The documentation frames the tool as not sending data externally except for flyai's own queries, but the code's purpose is precisely to pass user-supplied travel parameters to an external CLI that performs network lookups. That mismatch can mislead reviewers and users about the real data flow, weakening informed consent and security review quality.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
The update_db function blindly downloads a JSON database from a GitHub raw URL and overwrites the local database after only minimal structural validation. This creates a supply-chain integrity risk: if the upstream repository, branch, or transport assumptions are compromised, the skill will ingest attacker-controlled content that can influence downstream assistant behavior and recommendations.

Vague Triggers

Medium
Confidence
83% confidence
Finding
Advertising that the skill responds naturally without special keywords broadens activation too much for a skill with shell, file, and network capabilities. Over-broad triggering increases the chance of accidental invocation, unexpected data access, or execution of side-effecting workflows from casual conversation.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger list includes broad natural-language phrases for common coaching requests, increasing the chance the module activates when a user did not intend to start the full coaching workflow. In this skill, unintended invocation is more concerning because activation can lead to media analysis and local file persistence, not just harmless text responses.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The module directs the agent to write analysis records to ~/.ski-assistant/records.json without first warning the user that personal performance data will be stored persistently on disk. Silent storage of user-derived data undermines privacy expectations and can expose sensitive history to other local processes or users with filesystem access.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The skill reads ~/.ski-assistant/user_profile.json to personalize recommendations without disclosing that local profile data will be accessed. Even if the data seems low sensitivity, undisclosed access to local files violates least surprise and can reveal personal preferences or history the user did not intend to expose in that interaction.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The optional share-card flow invokes a local Python tool without warning the user that an external command will run. Hidden command execution is risky because it crosses from advisory behavior into host action, which can affect the local system, fail unpredictably, or be abused if tool arguments or environment are not tightly controlled.

VirusTotal

44/44 vendors flagged this skill as clean.

View on VirusTotal