ClawHub

Multi City Planner

Security checks across malware telemetry and agentic risk

Overview

This travel-planning skill is broadly on-purpose, but its scripts handle trip details in a way that could let crafted input run unintended commands on the user’s computer.

Review before installing. Only run it with itinerary text you trust, and prefer a fixed version that replaces execSync shell strings with spawn/execFile argument arrays plus strict date and city validation. Treat bundled HTML reports as examples, not current prices or availability, and expect live searches and optional API-key use to involve the flyai external service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The footer claims the report is based on real-time flight data, but the HTML is entirely static and contains hardcoded prices and itinerary details with no mechanism to fetch or refresh live data. In a travel-planning skill, this can mislead users into trusting stale pricing and availability, causing bad booking decisions or financial loss.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script builds a shell command string with user-controlled values (`origin`, `cities`, `depDate`, `retDate`) and passes it to `execSync`, which invokes a shell. Even though arguments are wrapped in double quotes, shell metacharacters such as command substitution can still be interpreted, enabling command injection. In a trip-planning skill, launching subordinate scripts may be functionally justified, but doing so through shell string interpolation makes the context more dangerous because the inputs come directly from CLI parameters.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script builds a shell command string with user-influenced values and passes it to execSync, allowing shell metacharacters in origin/cities/date arguments to alter command execution. In an itinerary tool, this creates an unjustified command-execution surface that can lead to arbitrary local command execution under the user's privileges.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script builds a shell command string and executes it with execSync, which invokes a shell. Even though the current values are hardcoded, this pattern is dangerous in a trip-planning skill because any future or indirect user-controlled input passed into origin, destination, dates, or args could lead to command injection or unintended command execution. The capability is broader than needed for simple flight lookup and increases the blast radius of compromise.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script builds a shell command string and executes it with execSync using values ultimately derived from user input. Because origin/destination values are only wrapped in double quotes and not safely escaped, an attacker can inject shell metacharacters or command substitutions, causing arbitrary local command execution under the agent's privileges.

Context-Inappropriate Capability

Low
Confidence
97% confidence
Finding
The report embeds an absolute local filesystem path (/Users/dansha/liuxiaokang/multi-city-planner/) that is unnecessary for travel-planning output. Exposing host paths leaks developer environment details and can aid reconnaissance, especially if reports are shared externally or rendered in a broader system.

Context-Inappropriate Capability

Low
Confidence
98% confidence
Finding
The footer repeats the same local filesystem path disclosure, again revealing host-specific implementation details unrelated to the itinerary. While low severity on its own, repeated leakage increases confidence that the skill routinely exposes environment metadata in user-facing artifacts.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Shell execution occurs on arguments derived from process input without warning, and more importantly without safe escaping or structured argument passing. The lack of disclosure increases user risk, while the real technical issue is that crafted input can inject additional shell syntax and execute unintended commands.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
User-controlled arguments flow into a shell command via args.join(' ') and execSync, creating direct command-injection risk. In this skill's context, cities and route values are free-form text, so crafted input such as embedded quotes, semicolons, backticks, or command substitution can execute arbitrary commands, potentially exposing local files, secrets, or enabling further compromise.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The regex patterns are very broad and can match generic trip-planning language, causing this skill to activate for loosely related requests rather than only when the user clearly wants FlyAI-specific travel search. Over-broad activation increases the chance the agent routes sensitive or irrelevant user queries into an external tool unnecessarily, creating tool-selection errors, privacy leakage to third-party services, and reduced user control.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The description instructs the agent to 'prioritize using this capability' for broad tourism and travel-related questions, which biases tool selection beyond narrowly scoped user intent. This can lead to unnecessary external calls, over-collection of user travel details, and inappropriate delegation to a booking/search tool when a normal informational response would suffice.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal