ClawHub

schedule-planner-cxf

Security checks across malware telemetry and agentic risk

Overview

This travel-planning skill is not malware, but it needs review because it can create travel orders, handle passenger identity data, generate payment handoff pages, and its privacy disclosures are inconsistent.

Install only if you are comfortable giving this skill local API keys and passenger details and letting it interact with Amap/Tuniu services. Treat it as capable of creating pending travel orders and payment handoff pages, not just planning trips; confirm every booking/payment step yourself and avoid storing real ID numbers or phone numbers in .env unless you understand the local persistence risk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The README makes a misleading privacy claim by stating the skill does not store any user personal sensitive information while also instructing users to place API keys and personal information in a local .env file. Even if storage is only local, secrets and personal data are still being stored, which can mislead users about privacy exposure and reduce appropriate handling of sensitive material.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The README claims that API calls are not transmitted to any third-party servers, but the documented functionality explicitly relies on Amap and Tuniu APIs, which necessarily means data is sent to external services. This is a materially false disclosure that can cause users to share itinerary, location, or credential data under incorrect assumptions about external data exposure.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The documentation instructs the agent to create third-party travel orders using locally stored passenger identity and contact data. This moves the skill from recommendation into transactional execution, increasing the risk of unauthorized bookings, privacy exposure, and accidental submission of sensitive identity data to external services.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The privacy section claims the skill does not upload personal information, but later examples repeatedly send name, ID number, and phone data to third-party booking APIs. This contradiction can mislead users about where their data goes, undermining informed consent and creating a significant privacy/compliance risk.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill includes generation of payment QR-code webpages and direct payment-link presentation, which is materially more sensitive than travel planning because it nudges users into payment flows and writes artifacts locally. In context, that expands the attack surface for phishing-style presentation, unsafe local file handling, and undisclosed payment redirection behavior.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The demo shows the skill generating local files, opening a browser, and surfacing a payment/order URL, which materially expands the apparent capability beyond passive trip planning. Even though the content is marked as simulated, documenting these side effects can normalize or justify future implementations that perform file writes, browser launching, or payment-flow handoff without clear user consent and without those capabilities being declared in metadata.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The document states that booking must be completed by the user in the Tuniu app, but then demonstrates a pending-payment link and QR payment page. This inconsistency weakens the trust boundary: users or downstream integrators may believe the skill can safely transition into transactional flows, increasing the risk of deceptive UX, unauthorized purchase assistance, or unsafe payment redirection.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The contradiction between 'user must complete booking in the app' and the later QR-code/payment-page generation is a security-relevant boundary mismatch. In agentic systems, unclear transactional authority is dangerous because it can conceal scope creep into purchase or payment workflows and make users less able to distinguish advisory output from actionable commerce operations.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The script launches a local CLI subprocess and injects an API key from environment variables into that child process. While invoking a travel CLI is related to the skill’s purpose, doing so through a locally installed binary under a user-controlled home/AppData path creates a trust-boundary problem: a replaced or trojanized tuniu-cli binary would execute with inherited environment and gain access to the credential. In an agent skill context, this is more dangerous because it expands the attack surface from API usage to arbitrary local code execution via dependency/path tampering.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The script writes files to the user's Desktop and launches the generated HTML automatically without any consent, warning, or sandboxing. In a travel-planning skill context, unexpected local file creation and auto-opening expands the skill from conversational planning into desktop-side effects, which can surprise users and create privacy and trust issues.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
In mock mode, the script writes generated trip data directly to a predictable Desktop file. Even if mock mode does not include passenger PII, writing travel itineraries to a user-accessible shared location without consent creates unintended local persistence and privacy exposure, especially on multi-user or monitored endpoints.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill tells the agent to remember and reuse user preferences across turns without a clear retention notice or user-facing control over that memory. In a travel context, these preferences can reveal behavioral patterns and may become sensitive when linked with destinations, budgets, family status, or accessibility needs.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The code reads `TUNIU_API_KEY` from the environment and forwards it to a subprocess, extending the trust boundary to an external CLI located under a user-writable npm path. If that CLI is replaced, tampered with, or behaves unexpectedly, the credential could be exposed or misused without visibility to the user.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script writes tripData, which includes passenger information and itinerary details, to a predictable file on the Desktop without user confirmation or warning. This can expose personal and travel data to other local users, backup/sync services, enterprise monitoring tools, or malware watching common directories.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"skill-card.md"
  ],
  "dependencies": {
    "qrcode": "^1.5.4"
  }
}
Confidence
87% confidence
Finding
"qrcode": "^1.5.4"

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal