ClawHub

apartment-hotel

Security checks across malware telemetry and agentic risk

Overview

This travel skill is not malicious, but it needs review because it can automatically install an unpinned global npm CLI and send travel search details to an external service.

Review before installing. Use it only if you are comfortable with an agent installing FlyAI CLI globally through npm and sending travel search details to FlyAI/Fliggy. Prefer manual approval of any install, verify the npm package and version first, and treat this as a flight-search skill unless broader workflows are added.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill explicitly states that only documented CLI flags may be used, yet the direct-flight playbook invokes an undocumented `--journey-type 1` flag. This inconsistency can cause agents to execute unsupported or unintended command variants, weakening safety guarantees and making command behavior less auditable.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation triggers include broad phrases like 'find a hotel' and '订酒店', which are common travel intents not specific to this skill. This can cause the skill to activate unexpectedly and steer ordinary user requests into external CLI execution paths, increasing the chance of unnecessary tool use and unintended data exposure.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill directs the agent to automatically perform a global npm installation of `@fly-ai/flyai-cli` when the tool is missing, without user consent or review. Automatic package installation executes code from an external registry and changes the host environment, which is a significant supply-chain and environment-integrity risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill mandates external CLI execution for travel queries but does not clearly warn the user that their request may trigger shell commands and possibly network access. This undermines informed consent and can lead to unexpected outbound requests or local environment interaction during otherwise routine queries.

Ssd 4

Medium
Confidence
90% confidence
Finding
The workflow uses coercive language such as mandatory installation, never skip, do not use training data, and re-execute until compliant, pushing the agent toward repeated external command execution instead of safe failure. This pattern increases the likelihood that an agent will override caution, ignore missing trust signals, and keep attempting risky operations on the user's system.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal