Travel Guide Test
Security checks across malware telemetry and agentic risk
Overview
The skill is mostly coherent for travel planning, but it appears to make public Cloudflare Pages deployment part of the default workflow without an explicit final approval step.
Before installing, confirm that the agent will not publish anything to Cloudflare Pages without your explicit approval. Review the exact guide content before deployment, use limited Cloudflare credentials if needed, and decide what traveller profile details may be stored for future trips.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A travel guide containing trip details could be published online or a Cloudflare account could be modified before the user has clearly approved publication.
Publishing to Cloudflare Pages is a high-impact external/account action. The artifact presents deployment as the final default step, but the provided text does not show an explicit user confirmation or scoping requirement before publishing.
Follow this sequence: 1. Discover the travellers, constraints, and vibe. ... 5. Turn the plan into a skimmable, image-led static webpage. 6. Deploy to Cloudflare Pages.
Require an explicit final approval before any deployment, clearly show what will be published, which Cloudflare account/project will be used, and how to undo or remove the site.
The agent may need access to a Cloudflare account or deployment tooling to complete the publishing workflow.
Cloudflare Pages deployment normally requires delegated Cloudflare account authority. This is aligned with the skill's purpose, but users should verify credential scope because the registry metadata declares no primary credential or required environment variables.
turn them into polished static travel-guide webpages deployed to Cloudflare Pages
Use a narrowly scoped Cloudflare token or project-specific access where possible, and confirm the target account, project, and domain before deployment.
Preferences, constraints, children's ages or interests, food preferences, and other travel-relevant details may be remembered and reused in future planning.
The skill explicitly supports durable reusable traveller profiles. The artifact limits the profile to travel-planning preferences, but this is still persistent personal context.
The skill may: - create a primary group profile - create optional traveller-specific subprofiles when they materially affect planning - reuse an existing profile for future travel planning - update the profile after a trip or after the user clarifies a preference
Store only information the user agrees should be reused, avoid sensitive details unless necessary, and provide a way to review, update, or delete traveller profiles.