ClawHub

Agv

Security checks across malware telemetry and agentic risk

Overview

This skill is labeled as an AGV route planner, but it actually behaves like a local note/config store that can persist, delete, and export arbitrary entries.

Install only if you want a simple local entry tracker stored under ~/.agv. Do not rely on it for real AGV routing, vehicle status, facility operations, or industrial automation unless the publisher makes the purpose and implementation match and documents storage, deletion, and export behavior clearly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill is presented as an AGV route planner, but the documented commands describe a generic local datastore that can add, search, remove, export, and reconfigure arbitrary entries. This mismatch is dangerous because it can cause an agent or user to invoke broader file and data-management behaviors than expected, increasing the chance of unintended data access, deletion, or export under an industrial-looking label.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest markets the skill as AGV-specific, while the command set is a generic entry-management and configuration utility. In an agent ecosystem, this creates security-relevant deception because tool selection may be based on metadata, leading the agent to grant or use capabilities unrelated to the user’s AGV task.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The prose claims AGV-specific functionality, but the command descriptions are generic entry handling operations such as add, list, search, remove, and export. This inconsistency can mislead operators and automated systems about what data the skill manipulates and what side effects it may have, making misuse and unintended local data operations more likely.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is presented as an AGV route planner, but the implementation is a generic local data manager that stores, searches, removes, exports, and configures arbitrary user data. This mismatch is dangerous because users and agent frameworks may grant trust, permissions, or invoke the skill under false assumptions, enabling covert local data collection and manipulation unrelated to the advertised AGV purpose.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The generic config subsystem allows arbitrary key/value persistence unrelated to AGV routing or status checks. In the context of a narrowly scoped operational skill, this expands capability beyond the declared purpose and creates an unnecessary channel for storing arbitrary data, which can be abused for hidden state, exfil staging, or policy bypass within an agent environment.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The help text and header comments advertise AGV route-planning behavior, but the exposed commands are generic entry-management operations. Deceptive or materially inaccurate documentation increases risk because operators may trust and use the tool in sensitive environments while unaware that it is actually collecting and managing arbitrary local data.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The invocation guidance is broad and ambiguous, giving little boundary around when the skill should or should not be used. That increases the chance an agent selects it in inappropriate contexts, which is more concerning here because the documented commands include local data manipulation and configuration changes.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
A destructive remove command is documented without warning about deletion scope, permanence, or confirmation requirements. In agent-driven workflows, an apparently routine command can lead to silent data loss if invoked automatically or on ambiguous user intent.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The export command writes data to a file, but the documentation does not warn about filesystem side effects, output location, or possible overwrites. This can lead to unintended data disclosure or clobbering of files when an agent performs exports without the user understanding where data is being written.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The script persistently stores user-provided values in a local JSONL file without clear up-front disclosure. While local persistence is not inherently malicious, undisclosed storage is risky in agent tooling because users may supply operationally sensitive data assuming it is transient.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The remove command irreversibly edits the backing data file with no confirmation, dry-run option, or recovery mechanism. In an agent or automation context, an incorrect argument or unintended invocation can destroy records silently, causing data loss and reducing auditability.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The export command writes collected data to a new file without warning that the output may contain sensitive previously stored content. This can increase accidental disclosure risk, especially if run in shared directories, automated workflows, or environments where exported files are later uploaded or committed.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal