ClawHub

caocao-chuxing-skill

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-built for CaoCao ride-hailing, but it can create or cancel real rides without a mandatory confirmation step and stores the API key in a plaintext URL config.

Install only if you are comfortable giving this skill a CaoCao MCP API key and allowing it to perform live ride actions. Before using create or cancel flows, require the agent to show pickup, destination, selected service type, estimated fare, and order number, then ask for explicit confirmation. Delete or protect config/mcporter.json when finished because it contains the API key-bearing endpoint.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill instructs the agent to execute local Python scripts, persist an API key via a configure command, and call external ride-hailing services, which implies file read/write and network capabilities. Because these capabilities are not explicitly declared, the host or reviewer cannot accurately assess the skill’s access needs, increasing the risk of over-privileged execution and unsafe secret handling.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The ride_flow path can place a real ride order immediately when action=create-order, with no explicit confirmation gate, dry-run mode, or interactive warning before invoking trip_create_order. In a ride-hailing skill, this can trigger unintended real-world transactions and dispatch a driver based on ambiguous input or accidental invocation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The cancellation command directly invokes trip_cancel_order using only the supplied order number and optional reason, without any confirmation or display of the order details first. This makes accidental or unauthorized cancellations easier, potentially disrupting active rides or causing user harm if the wrong order is canceled.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The API key is persisted in plaintext config and embedded into the base URL as a query parameter, which increases exposure through local files, shell history, logs, proxy records, and server access logs. Credentials in URLs are especially sensitive because they are commonly captured by observability and infrastructure components outside the application's control.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal