ClawHub

Dataify Google Flights

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Dataify Google Flights API helper with clear confirmation steps, though users should handle the API token carefully.

Install this only if you intend to make Dataify Google Flights API requests. Prefer setting DATAIFY_API_TOKEN in your environment instead of pasting a token into chat, and review the parameter table carefully before confirming, especially if the Chinese column labels are not clear to you.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger description is broad enough to activate on common travel-related requests such as searching flight prices or itineraries, which can cause the skill to intercept user intent unexpectedly. Over-broad invocation can route unrelated or only loosely related requests into this skill's workflow, increasing the chance of unintended external API use, unnecessary data disclosure, or degraded user control.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
Mandating Chinese-only table column labels without user opt-in can reduce transparency and informed consent for users who do not read Chinese. Because the table is the required pre-call confirmation step, a language mismatch may cause users to approve API requests they do not fully understand, weakening the confirmation control.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
Repeating a fixed Chinese-language output requirement in the workflow reinforces a user-interface constraint that can impair comprehension during a security-relevant confirmation step. This makes the pre-execution approval less reliable, especially when the skill may initiate authenticated external requests after the user confirms.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal