carsxe

https://clawhub.ai/api/v1/skills/carsxe/file?path=SKILL.md&version=1.1.7

github.com/clawhub.ai/carsxe

Scanned Thu, 28 May 2026 16:10:36 GMT

Scan ID crawl-z717t308ymr4wnza7arjt7jz · 1ms

SCORE 0 / 100

Verdict: Do not install

11 critical findings.

This skill leaks data via URL parameters ($CARSXE_KEY) plus 11 other issues listed below.

11 critical0 high1 medium0 rules passed

Why grade F?

score · 0 / 100

The current grade reflects 11 critical findings (any 2+ CRITs → F).

11 CRIT0 HIGH1 MED0 LOW

To reach a higher grade

D
Reach Dtarget score 30
Resolve 10 of your 11 CRIT findings — any single CRIT still keeps you at D.
C
Reach Ctarget score 55
Resolve all 11 CRIT findings.
B
Reach Btarget score 75
Resolve all 11 CRIT.
A
Reach Atarget score 95
Resolve all 11 CRIT.

Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.

Findings · ordered by severity

crit

URL embeds a credential variable

The skill builds a URL that interpolates a secret into the query string. If the agent makes this request, the credential leaves the trust boundary.

rule: url-exfiltrationline: 102CWE-200

▾

100

101**"What are the specs for VIN WBAFR7C57CC811956?"**

102→ `GET https://api.carsxe.com/specs?key=$CARSXE_KEY&vin=WBAFR7C57CC811956&source=openclaw`← URL interpolates a credential into the query string

103

104**"Decode California plate 7XER187"**

crit

URL embeds a credential variable

The skill builds a URL that interpolates a secret into the query string. If the agent makes this request, the credential leaves the trust boundary.

rule: url-exfiltrationline: 105CWE-200

▾

103

104**"Decode California plate 7XER187"**

105→ `GET https://api.carsxe.com/v2/platedecoder?key=$CARSXE_KEY&plate=7XER187&country=US&state=CA&source=openclaw`← URL interpolates a credential into the query string

106

107**"What's my car worth? VIN WBAFR7C57CC811956, 45k miles, clean condition, California"**

crit

URL embeds a credential variable

The skill builds a URL that interpolates a secret into the query string. If the agent makes this request, the credential leaves the trust boundary.

rule: url-exfiltrationline: 108CWE-200

▾

106

107**"What's my car worth? VIN WBAFR7C57CC811956, 45k miles, clean condition, California"**

108→ `GET https://api.carsxe.com/v2/marketvalue?key=$CARSXE_KEY&vin=WBAFR7C57CC811956&state=CA&mileage=45000&condition=clean&source=openclaw`← URL interpolates a credential into the query string

109

110**"Does this car have any recalls? 1C4JJXR64PW696340"**

crit

URL embeds a credential variable

The skill builds a URL that interpolates a secret into the query string. If the agent makes this request, the credential leaves the trust boundary.

rule: url-exfiltrationline: 111CWE-200

▾

109

110**"Does this car have any recalls? 1C4JJXR64PW696340"**

111→ `GET https://api.carsxe.com/v1/recalls?key=$CARSXE_KEY&vin=1C4JJXR64PW696340&source=openclaw`← URL interpolates a credential into the query string

112

113**"Check liens and theft for WBAFR7C57CC811956"**

crit

URL embeds a credential variable

The skill builds a URL that interpolates a secret into the query string. If the agent makes this request, the credential leaves the trust boundary.

rule: url-exfiltrationline: 114CWE-200

▾

112

113**"Check liens and theft for WBAFR7C57CC811956"**

114→ `GET https://api.carsxe.com/v1/lien-theft?key=$CARSXE_KEY&vin=WBAFR7C57CC811956&source=openclaw`← URL interpolates a credential into the query string

115

116**"Decode this international VIN: WF0MXXGBWM8R43240"**

crit

URL embeds a credential variable

The skill builds a URL that interpolates a secret into the query string. If the agent makes this request, the credential leaves the trust boundary.

rule: url-exfiltrationline: 117CWE-200

▾

115

116**"Decode this international VIN: WF0MXXGBWM8R43240"**

117→ `GET https://api.carsxe.com/v1/international-vin-decoder?key=$CARSXE_KEY&vin=WF0MXXGBWM8R43240&source=openclaw`← URL interpolates a credential into the query string

118

119**"Look up 2020 Toyota Camry LE"**

crit

URL embeds a credential variable

The skill builds a URL that interpolates a secret into the query string. If the agent makes this request, the credential leaves the trust boundary.

rule: url-exfiltrationline: 120CWE-200

▾

118

119**"Look up 2020 Toyota Camry LE"**

120→ `GET https://api.carsxe.com/v1/ymm?key=$CARSXE_KEY&year=2020&make=Toyota&model=Camry&trim=LE&source=openclaw`← URL interpolates a credential into the query string

121

122**"My check engine light shows P0300"**

crit

URL embeds a credential variable

The skill builds a URL that interpolates a secret into the query string. If the agent makes this request, the credential leaves the trust boundary.

rule: url-exfiltrationline: 123CWE-200

▾

121

122**"My check engine light shows P0300"**

123→ `GET https://api.carsxe.com/obdcodesdecoder?key=$CARSXE_KEY&code=P0300&source=openclaw`← URL interpolates a credential into the query string

124

125**"Extract the VIN from this photo: https://user-images.githubusercontent.com/5663423/30922082-64edb4fa-a3a8-11e7-873e-3fbcdce8ea3a.png"**

crit

URL embeds a credential variable

The skill builds a URL that interpolates a secret into the query string. If the agent makes this request, the credential leaves the trust boundary.

rule: url-exfiltrationline: 126CWE-200

▾

124

125**"Extract the VIN from this photo: https://user-images.githubusercontent.com/5663423/30922082-64edb4fa-a3a8-11e7-873e-3fbcdce8ea3a.png"**

126→ `POST https://api.carsxe.com/v1/vinocr?key=$CARSXE_KEY&source=openclaw`← URL interpolates a credential into the query string

127→ Body: `{"image": "https://user-images.githubusercontent.com/5663423/30922082-64edb4fa-a3a8-11e7-873e-3fbcdce8ea3a.png"}`

128

crit

URL embeds a credential variable

The skill builds a URL that interpolates a secret into the query string. If the agent makes this request, the credential leaves the trust boundary.

rule: url-exfiltrationline: 130CWE-200

▾

128

129**"Extract the plate from this photo: https://imagedelivery.net/moyiiSImjJPI_EZVxNMBBw/f49aed53-d736-4370-f3f4-97418841c800/public"**

130→ `POST https://api.carsxe.com/platerecognition?key=$CARSXE_KEY&source=openclaw`← URL interpolates a credential into the query string

131→ Body: `{"image": "https://imagedelivery.net/moyiiSImjJPI_EZVxNMBBw/f49aed53-d736-4370-f3f4-97418841c800/public"}`

132

crit

URL embeds a credential variable

The skill builds a URL that interpolates a secret into the query string. If the agent makes this request, the credential leaves the trust boundary.

rule: url-exfiltrationline: 134CWE-200

▾

132

133**"Get vehicle images for BMW X5 2019"**

134→ `GET https://api.carsxe.com/images?key=$CARSXE_KEY&make=BMW&model=X5&year=2019&source=openclaw`← URL interpolates a credential into the query string

135

med

No capability manifest declared

The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.

rule: no-manifest

▾

Scan another →Share

skillox.io/r/crawl-z717t308ymr4wnza7arjt7jz