ClawHub
Back to skill

Security audit

携程酒店搜索

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it claims, but it asks users to store travel-account passwords in plaintext and includes an under-disclosed third-party search path.

Review before installing. Use only a dedicated or low-risk Ctrip account, do not commit or share config.json, and prefer environment variables or a local secret manager if you adapt it. Treat demo hotel recommendations as unverified examples, and be aware that the included Python scripts can route search queries through Maton/Brave rather than Ctrip.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill sends user-intended hotel-search activity to an unrelated third-party service (gateway.maton.ai / Brave search) despite being described as a Ctrip browser-automation skill. This creates an undisclosed data-flow and trust-boundary violation: user queries, travel intent, and API credentials are handled by an external provider that users would not reasonably expect, increasing privacy, compliance, and supply-chain risk.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file is presented as a hotel search results document, but it explicitly admits the skill could not access Ctrip and then substitutes manual instructions and invented reference data. This is dangerous because users may rely on fabricated or unverified availability, pricing, ratings, and recommendations as if they were real search output, leading to misleading decisions and erosion of trust.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The document labels hotels as recommended options and gives ratings, prices, locations, and review themes in a format that resembles actual search output, while admitting the information is only estimated or demo data. In the context of a travel-booking skill, this makes the deception more dangerous because users expect factual, current booking information and may act on inaccurate representations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide instructs users to place their Ctrip username and password directly into a local `config.json` file, which encourages plaintext credential storage. This increases the risk of accidental exposure through source control commits, file sharing, backups, or local compromise, especially because the warning appears later and not at the point where the secret is introduced.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README explicitly promotes automatic login using stored Ctrip credentials and shows placing a username and password in a local config.json file, but it provides only a brief note to safeguard the file and does not adequately describe credential-handling risks such as accidental commit, local disclosure, or interception during browser automation. In the context of a browser automation skill that logs into a real third-party account, this increases the chance that users will adopt insecure secret storage and underestimate the sensitivity of the workflow.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill states it will automatically log into a Ctrip account but gives no warning about how credentials are handled, stored, or entered during browser automation. In the context of a travel account, this can expose usernames, passwords, session cookies, booking history, and personal data if the automation or surrounding environment is compromised or overly permissive.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide explicitly tells users to place their Ctrip account credentials in a local config.json file, but provides no guidance on secure storage, file permissions, encryption, or exclusion from version control. In a browser-automation skill that logs into a live account, this creates a realistic risk of credential disclosure through accidental commits, local compromise, logs, backups, or shared workspace access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code automatically uses configured Ctrip credentials to perform a remote login, but there is no visible consent gate, warning, or runtime confirmation before authenticating to a third-party service. In an agent/skill context, this is risky because it can cause unintended account use, trigger external side effects, and expose sensitive credentials or session state if the environment is shared or logs/telemetry are mishandled.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The demo script explicitly tells users to place their Ctrip account username and password into a local config.json file, normalizing plaintext credential storage without any guidance on secret handling, file permissions, encryption, or exclusion from version control. In the context of a browser-automation skill that logs into a real account, this increases the chance of credential leakage through source control, logs, backups, or accidental sharing.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The report instructs the user to configure a Ctrip account but provides no warning about how credentials should be stored, protected, or handled during browser automation. In a skill that automates login to a travel account, this omission can lead to unsafe practices such as plaintext credential storage, accidental logging, or reuse of sensitive session data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document instructs the user to configure a Ctrip account in config.json but provides no guidance on secure credential handling, such as avoiding plaintext secrets, restricting file permissions, or excluding the file from version control. In a browser-automation skill that performs account login, this increases the likelihood that users will store credentials insecurely and expose their travel account or related personal data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal