ClawHub

Korean Booking

Security checks across malware telemetry and agentic risk

Overview

This booking skill has a real booking purpose, but it should be reviewed because it can submit appointment details and includes unsafe browser and command automation.

Install only if you are comfortable with this skill opening third-party BeautsGO pages and sending appointment details, including contact information and cosmetic/medical-service intent, to BeautsGO. Before using booking, verify the clinic, date, contact info, and destination domain yourself; avoid running the bundled debug or sync scripts unless you understand their local effects.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (16)

Tp4

High
Category
MCP Tool Poisoning
Confidence
85% confidence
Finding
The skill description frames browser usage as limited to opening visible pages, but the detected behavior includes fuller Playwright automation, form filling, and a browser context configured with security-bypass settings such as bypassCSP and disable-web-security. That expands the trust boundary significantly and could enable unintended interaction with web content, data exposure, or abuse beyond simple user-visible navigation.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The browser context requests geolocation, notifications, clipboard-read, and clipboard-write permissions even though the stated task is only to open a hospital page and click a consultation button. If the target page or any third-party content is malicious or compromised, these excess permissions expand what the page can access and increase privacy and data-exfiltration risk without a functional need.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script launches Chromium with multiple dangerous flags such as --disable-web-security, bypassCSP, insecure private network allowances, and --allow-running-insecure-content, while also disabling sandboxing. This turns an untrusted webpage visit into a far less isolated execution environment, making cross-origin abuse, mixed-content loading, private-network access, and browser compromise materially easier if the page, its dependencies, or redirected content are hostile.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This code passes a user-controlled URL directly into shell commands via exec on all platforms. Wrapping the URL in double quotes is not sufficient to prevent command injection because shell metacharacters can still be interpreted in some contexts, and the capability also allows opening arbitrary local or remote resources outside the advertised browser-free workflow. In this skill context, hospital detail pages and customer-service links may come from external data sources or user input, which increases the chance of abuse if URL handling is not strictly constrained.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The documentation describes behavior that extends beyond the stated reservation-assistant purpose: launching a local browser and using Playwright to click UI elements instead of limiting actions to a direct booking API flow. Even though this file is documentation, it signals implementation of local system and browser automation that can execute user-triggered side effects on the host, increasing attack surface and creating opportunities for unsafe navigation or unintended actions.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Using child_process.exec to open the system browser introduces host-level command execution into a booking assistant, which is a sensitive capability not clearly necessary for the core task. If URLs or command arguments are ever influenced by untrusted input, this can lead to command injection, unsafe local application launching, or navigation to attacker-controlled pages; the skill context makes this more dangerous because a reservation assistant is expected to handle user-supplied hospital names, links, and follow-up prompts.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The design doc specifies opening a local browser and driving page interaction via Playwright, which materially expands the skill from a bounded reservation assistant into one that can trigger host-side actions. Even if intended for convenience, this mismatch with the declared model ('direct POST, no browser') creates misleading security expectations and increases the attack surface through local automation.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The documented '帮我预约' flow performs browser automation and clicks a booking button instead of collecting user data and submitting a controlled API request as advertised. This is dangerous because the user and platform may believe the skill only performs narrowly scoped reservation POSTs, while in reality it can navigate pages and trigger arbitrary UI actions in a browser context.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Using exec() to invoke OS commands like open/start/xdg-open gives the skill host-level command execution capability, which is far broader than necessary for a beauty booking assistant. If the URL or command construction is ever influenced by untrusted input, this can lead to command injection or unwanted application launches; even without injection, it violates least privilege and creates unsafe side effects on the user machine.

Context-Inappropriate Capability

Low
Confidence
89% confidence
Finding
The page loads multiple third-party analytics and tracking scripts, including Google Tag Manager and Alibaba telemetry, despite the skill being described primarily as a booking assistant. In a medical-beauty booking context, these trackers can expose sensitive browsing behavior, referral context, and potentially user interaction metadata to external parties, creating privacy and data-governance risk.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The test script explicitly exercises browser-driven actions for opening links, clicking booking buttons, and launching customer-service flows, which expands the skill’s operational behavior beyond the described direct POST-based booking flow. This matters because browser automation introduces additional attack surface such as unintended navigation, interaction with untrusted pages, and execution of side effects that are not reflected in the declared capability model.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The inline comments and test flow describe Playwright/browser automation for booking and customer-service steps, directly contradicting the stated direct-API submission model. Security-relevant mismatches between manifest, documentation, and exercised behavior can conceal real capabilities from reviewers and users, leading to underestimation of the skill’s ability to open pages and perform interactive actions.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script captures the full rendered HTML of a hospital webpage and writes it to a fixed local filesystem path. Full-page snapshots can contain dynamic content, embedded identifiers, chat widgets, pricing/session metadata, or other third-party data not necessary for the booking assistant’s core function, creating unnecessary data retention and potential privacy/compliance risk.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script creates a Playwright browser context with `bypassCSP: true`, which disables the target page’s Content Security Policy and allows injected/evaluated code to run with fewer browser-enforced restrictions. For a booking assistant that only needs to inspect or automate form interactions, bypassing CSP is unnecessary and weakens an important defense boundary, especially when visiting a third-party booking page and executing `page.evaluate()` against its DOM.

Description-Behavior Mismatch

Low
Confidence
88% confidence
Finding
The script dumps large sections of `document.body.innerHTML` to stdout, which can capture sensitive user-visible content, embedded tokens, prefilled form fields, contact details, or internal page metadata. In a booking/medical-aesthetics context, this is more dangerous because pages may contain personal or appointment-related data, and logs are often less protected than the application itself.

Ssd 3

Medium
Confidence
90% confidence
Finding
The skill recursively scans all string fields in context and reuses them to infer the target hospital. In a conversational agent, context often contains prior user messages, summaries, or other sensitive text, so this broad collection can cause unrelated historical content to influence later actions and may surface or misuse sensitive data across turns.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal