ClawHub

Travel Concierge CLI

Security checks across malware telemetry and agentic risk

Overview

This travel-concierge skill appears purpose-aligned, but it can place real AI phone calls, expose a local service through ngrok, and handle sensitive credentials and personal call data without enough safeguards or disclosure.

Install only if you trust the separate concierge CLI and understand it may place real phone calls, expose a local webhook endpoint through ngrok, send audio/transcripts and booking details to third-party AI and telephony providers, and incur provider charges. Use test numbers first, set billing limits, restrict and rotate API keys, protect the config directory and logs, avoid sensitive healthcare/financial calls, and require explicit confirmation before any booking, cancellation, or disclosure of personal data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The guide includes a restaurant-reservation calling example even though the skill metadata scopes the skill to accommodation contact and booking calls. That broadens the apparent authorized use case from lodging-related outreach to general third-party AI calling, increasing the risk of policy drift, misuse, and deployment beyond the user-consented or reviewed domain.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The documented examples expand the skill from accommodation-related booking calls into restaurant reservations and medical appointment cancellation, which is materially broader than the parent concierge skill's stated scope. This can enable unintended high-trust use cases and increase the chance the agent is invoked for sensitive or regulated interactions without appropriate safeguards, consent flows, or policy boundaries.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The examples present live outbound call commands without a prominent warning that they will place real phone calls to actual numbers and use AI-generated speech. In a voice-calling skill, this omission is especially risky because users may copy-paste examples that immediately contact third parties, causing unauthorized outreach, privacy issues, charges, or harassment-like behavior.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README promotes autonomous AI-powered phone calls for booking without warning users about call recording laws, consent requirements, privacy exposure of guest data, or possible telephony charges. In a skill explicitly designed to place real-world calls, omitting these safeguards can lead users to deploy functionality that violates policy or law and unexpectedly incurs cost.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README instructs users to store multiple high-value API secrets and telecom credentials but provides no warning about protecting the config file, avoiding shell history leaks, or using least-privilege credentials. Because these secrets enable voice calls and AI service usage, compromise could lead to account takeover, fraudulent charges, and exposure of user data.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger set is broad enough that normal travel-assistance requests could invoke a skill that performs external lookups and potentially initiates booking workflows. In an agent ecosystem, overly broad triggers increase the chance of accidental activation, causing unintended data handling or downstream external actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly supports autonomous phone calls and automatic startup of ngrok and a call server, but the documentation does not foreground that these are external communications with real-world side effects. This is dangerous because a user or orchestrator may invoke the skill without realizing it can place calls, expose a local service via ngrok, and incur cost or privacy impact.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs users to store multiple high-value secrets in a local config file without warning about filesystem exposure, accidental logging, shell history leakage, or multi-user host risk. Those credentials could enable unauthorized telephony, API abuse, account takeover of integrated services, or billing fraud if exposed.

Vague Triggers

Medium
Confidence
92% confidence
Finding
Triggers such as "call," "phone," and "dial" are extremely broad everyday terms that can cause accidental activation in unrelated contexts. For an autonomous calling capability, unintended invocation can lead to unauthorized outbound calls, disclosure of personal details to third parties, and unexpected charges or reputational harm.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill description says it makes autonomous phone calls using Twilio, Deepgram, and ElevenLabs, but it does not clearly warn that personal data, call audio, transcripts, and booking details may be sent to multiple third-party processors. In this context, the skill collects identity details and conducts live conversations, so missing disclosure and consent language materially increases privacy, compliance, and trust risks.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal