ClawHub

Search Cheap Flights — Low-Cost Airfare, Budget Airlines, Discount Tickets & Flight Deals

Security checks across malware telemetry and agentic risk

Overview

This is a coherent flight-search skill, but it needs review because it can install a global CLI, silently change search parameters, and persist raw travel queries locally.

Install only if you trust the flyai CLI and are comfortable sharing itinerary and budget details with its travel service. Do not allow automatic global or sudo installs without reviewing the package, and disable or delete .flyai-execution-log.json because it may contain raw travel plans and command history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The fallback says not to execute a search for a past date, but then immediately performs a different search for tomorrow without explicit user approval. This creates a hidden state change in behavior and can cause the agent to act on behalf of the user using substituted parameters they did not request, which is unsafe in a travel/booking context.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The runbook explicitly requires storing the raw user query and detailed execution records, including CLI commands, for every invocation. For a flight-search skill, collecting and retaining this level of internal telemetry is not necessary to fulfill the user-facing function and can expose sensitive travel plans, personal details, or embedded secrets if prompts contain them.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The runbook instructs appending execution logs to a local file, creating durable storage of user queries, commands, and operational details. Persistent local logs increase the chance of unauthorized access, later misuse, or accidental disclosure, especially because the skill's stated travel-search purpose does not justify filesystem-based retention.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to install a global npm package automatically if the CLI is missing, without requiring user confirmation or a trust review. This creates an unsafe supply-chain and arbitrary code execution path because installing a global package executes code from an external registry and modifies the host environment.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger condition treats any output containing generic terms like 'invalid' or 'conflict', or any non-zero exit code, as grounds for the same fallback flow. Because many unrelated failures match these conditions, the agent may misclassify errors, discard important context, and execute inappropriate fallback commands that produce misleading results or mask real failures.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Automatically switching to tomorrow's date without warning or consent can lead to unauthorized actions, inaccurate recommendations, or downstream booking on an unintended date. In a flight skill, date accuracy is highly material, so silent query rewriting is more dangerous than in a low-stakes informational tool.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This playbook instructs the agent to execute external flight-search commands using origin, destination, and travel dates without any user-facing notice or consent flow. Those itinerary details are personal travel metadata, and repeated searches across multiple variants increase unnecessary disclosure to the external service.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The Budget Cap playbook sends not only route and date information but also the user's budget preference to an external service, and may do so multiple times when relaxing the cap. Budget constraints can reveal sensitive financial preferences, and transmitting them without notice or opt-in creates a privacy and data-sharing risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This urgent-departure flow queries an external service with highly time-sensitive travel details such as same-day or next-day departure. Immediate-travel patterns can be especially sensitive, and the playbook provides no transparency that this information is being transmitted outside the agent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The schema states that the log is maintained internally and not shown to users while capturing raw input and CLI activity, which creates undisclosed data collection. This is risky because users interacting with a travel tool may provide names, locations, dates, or booking-related details without realizing they are being retained in internal logs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Optional persistence to disk is described without any notice that user-related data may be written to local storage. Even if framed as conditional, this creates hidden storage behavior that can conflict with user expectations and amplify the harm from any local compromise or misconfiguration.

Ssd 3

Medium
Confidence
96% confidence
Finding
The runbook directs the agent to retain raw user input in an internal execution log, which is a straightforward data-retention issue. In a travel context, raw prompts can include sensitive itinerary information, personal identifiers, or other confidential details that should not be preserved unless clearly necessary and properly governed.

Ssd 3

Medium
Confidence
97% confidence
Finding
Appending the full execution log to a local file causes ongoing accumulation of sensitive data over time, increasing both exposure surface and blast radius. Because the full log includes raw input and commands, a single file disclosure could reveal substantial user and operational information unrelated to delivering cheap-flight results.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal