ClawHub

TripIt

Security checks across malware telemetry and agentic risk

Overview

This TripIt skill mostly does what it says, but needs review because it tells agents to save a private TripIt calendar link that can keep exposing travel details.

Review before installing. Use it only if you are comfortable sending personal travel details to TripIt through an email tool. Do not allow the agent to store your TripIt iCal feed URL unless you explicitly choose secure storage, retention, and deletion rules; regenerate the feed URL if it is exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documentation recommends storing a user's private TripIt iCal feed URL, which acts like a bearer secret granting ongoing read access to the user's itinerary. If retained insecurely, logged, or exposed to other tools or users, it could enable long-term unauthorized access to sensitive travel details such as destinations, timing, and booking metadata.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation guidance uses broad natural-language triggers like adding or syncing travel to TripIt, which could cause the skill to be invoked in contexts the user did not intend. In this skill's context, unintended invocation is more sensitive because it can prepare and facilitate sending travel itinerary data to a third-party service tied to the user's account.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs sending detailed travel itinerary information by email to a third party without a clear privacy notice or consent checkpoint. Travel bookings contain sensitive personal and behavioral data, and emailing them can expose that data through mail providers, logs, sent-mail retention, or accidental transmission from the wrong account.

Missing User Warnings

High
Confidence
97% confidence
Finding
The guidance recommends storing the user's private TripIt iCal feed URL and notes that it is stable, but does not warn that this URL is effectively a long-lived secret. Because possession of the URL may be sufficient to read the user's travel calendar without further authentication, disclosure could expose ongoing and future itinerary information and materially increase privacy risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This reference instructs agents to send structured travel itineraries to a third-party email address and includes fields for highly sensitive personal travel data such as names, booking confirmations, flight details, hotel stays, and activity plans, but it does not warn about the privacy implications or require user awareness/consent. In the context of an agent skill that automates TripIt updates via email, this omission increases the risk of oversharing personal itinerary data to an external service without clear disclosure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal