Back to skill

Security audit

carkey

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed vehicle-status lookup tool, but it handles sensitive vehicle location data and API credentials that users should protect carefully.

Install only if you use the Tika/Chengqu digital key service and trust this publisher with access to vehicle location and status. Prefer setting TIKA_API_KEY yourself in a protected environment, avoid pasting the real API key into chat prompts or command-line history on shared systems, and run --clear-auth or delete ~/.skill_carkey_cache.json when cached access is no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill describes capabilities to read environment variables, read/write local files, invoke shell commands, and make network requests, yet it declares no explicit permissions or trust boundaries. This creates a transparency and governance problem: users and hosting platforms may not realize the skill can access credentials and persist them locally while contacting a remote API.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill persists authentication material in a local cache file under the user's home directory, which expands the exposure window for vehicle-access credentials beyond a single query. Although the file is created with restrictive permissions, long-lived local storage of tokens increases the chance of credential theft from the host, backups, or accidental reuse by other processes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly suggests that users can provide their full API key directly to OpenClaw in natural-language prompt text. Even though the document elsewhere notes that API keys are sensitive, this specific guidance normalizes sharing a high-value credential with an agent without a clear, immediate warning about exposure, logging, retention, or accidental disclosure through prompt history and tool traces. In a skill that accesses vehicle location and status, credential compromise can expose sensitive physical-location and vehicle-state data.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly supports writing the full API key to ~/.skill_carkey_cache.json for later reuse, but does not provide a strong warning about the security risks of storing long-lived credentials on disk. If the local machine is shared, compromised, backed up insecurely, or the file permissions are weak, the API key could be stolen and used to query sensitive vehicle data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill queries a remote API for highly sensitive telemetry including vehicle location, VIN, address, and condition data, but the documentation does not clearly warn users that this information leaves the local environment and is sent to a third-party endpoint. This lack of transparency can lead to unintended disclosure of precise location and vehicle identifiers, which are especially sensitive in the context of a car-access skill.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The skill reads sensitive authentication material from environment variables and may persist it locally without an explicit warning or consent flow. In a skill context that is advertised as query-only, this makes the behavior more dangerous because users may not expect secrets supplied for one run to be retained on disk.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.