ClawHub

Beautsgo Booking

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it advertises, but it needs review because it can send sensitive appointment details to external services and includes risky developer scripts and exposed API credentials.

Install only if you are comfortable with BeautsGO/Yestokr receiving booking details such as clinic choice, appointment timing, party size, and contact information. Do not run the bundled scripts unless you understand their filesystem, account, and publishing side effects. The publisher should add an explicit final consent step before submission, remove or rotate exposed API credentials, stop logging contact payloads, and replace shell-based URL opening with safer argument-based process execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The documentation instructs local command execution to open URLs via a Node script. Even if intended for convenience, invoking local commands from a skill increases the attack surface because malformed or attacker-controlled URLs/arguments could lead to unsafe execution paths or unintended app/browser launches on the host system.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script's optional `--publish` path executes shell commands to commit, push, and publish the skill via `execSync`, which extends far beyond merely syncing hospital data. In a supply-chain context, this is dangerous because anyone or any automation invoking the script with `--publish` can trigger repository changes and external publication, increasing the blast radius of mistakes or compromised data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly advertises "Direct API Booking" via `POST /api/Appointment/saveFromSkill` but does not clearly disclose what personal data will be transmitted, when it will be sent, or how user consent is obtained before submission. In a medical tourism and appointment-booking context, users may provide sensitive personal and health-related details, so unclear data-transfer disclosure creates a meaningful privacy and informed-consent risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill collects a phone number and sends it to an external booking API, but the sample interaction flow does not present a prominent, immediate privacy warning or explicit consent checkpoint right before transmission. In a medical/aesthetic booking context, contact details are sensitive, and users may not realize their number will be shared with a third party when they reply in natural language.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill collects a phone number and appointment details, then transmits them to a remote API without an explicit just-in-time notice or consent prompt at submission time. In a medical-tourism context, contact details combined with clinic selection and appointment timing can be sensitive personal data, so silent transmission increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script unconditionally runs 'rm -rf' on a computed target path for every matching session directory without validation, prompting, or safety guards. If the base path is broader than expected, a session path is malformed, or the target resolves unexpectedly, it can destroy existing skill data across many directories at once and make recovery difficult.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script explicitly tells the operator to read and retain an Access Token that is printed to the console during registration. Console output is often captured in shell history tools, CI logs, screen recordings, or shared terminals, so exposing a reusable authentication token this way creates a real credential leakage risk.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The follow-up commands are defined as very generic natural-language phrases like opening links, booking, or contacting support without requiring strong confirmation of booking context. In a multi-turn assistant environment, these phrases can be triggered by ordinary user utterances and cause unintended side effects such as opening external pages or initiating a booking flow against the wrong hospital context.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The price-check behavior permits very broad phrases like '查价格' and relies on ambient context to infer the hospital. This can cause the skill to open the wrong external price page or perform an unintended navigation when the user is speaking generally, especially in multi-turn conversations where stale context may persist.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal