ClawHub

通用商旅出行规划助手

Security checks across malware telemetry and agentic risk

Overview

This travel-planning skill appears purpose-aligned, but users should know it can use third-party travel/map/search services and save/share itinerary reports.

Install if you are comfortable using external travel/map/search services for itinerary planning. Avoid entering confidential meeting details or sensitive travel plans unless you intend them to be used in lookups and included in generated reports; review any booking links before acting on them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

High
Confidence
92% confidence
Finding
The trigger phrases are very broad and map to common travel-related language, so the skill may activate in ordinary conversation without clear user intent. In this skill's context, unintended activation is more concerning because it can cause trip details to be collected and sent to external services, and can generate booking/report links from sensitive itinerary data.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The markdown trigger examples are ambiguous and do not distinguish casual discussion from deliberate invocation. Because this skill performs external searches, route queries, and report generation, accidental invocation could expose itinerary, location, and preference data beyond what the user expected.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The description advertises integrations with 12306 MCP, AMap, and web search, plus one-click booking links, but does not warn users that their trip details may be transmitted to third-party services. In a travel-planning skill, this omission increases privacy risk because itinerary, destination, dates, and meeting-related information can be sensitive business data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The HTML report feature writes trip information into a file and may make it available via attachment or preview URL, but the skill does not warn users that sensitive itinerary data will be persisted and potentially shareable. In this context, the report can contain cities, dates, hotels, meeting venues, and booking links, creating a meaningful confidentiality risk if stored or shared unintentionally.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal