ClawHub

Cyber Travel

Security checks across malware telemetry and agentic risk

Overview

Cyber Travel is an instruction-only virtual travel-writing skill that saves trip outputs locally, with no evidence of hidden code, credential access, or exfiltration.

Install only if you are comfortable with the agent searching travel sites, saving trip files and images locally, and optionally maintaining immersive trip state over time. Avoid entering sensitive future travel details unless needed, review any scheduled mode before enabling it, delete the trip folder when done, and check image rights or attribution before reusing real photos.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill persistently writes detailed trip plans, daily journals, checkpoints, and summaries into the memory/ directory without any user-facing disclosure or consent step. This is risky because the generated content may include sensitive travel preferences, dates, locations, and derived personal context that remain stored beyond the immediate session, increasing privacy and data retention exposure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to search for, download, and save external real photos into a local images directory without warning the user that external media will be fetched and stored. This creates privacy, storage, and content-safety concerns, and may also introduce copyright/licensing issues because third-party media is being locally retained and reused in generated outputs.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal