ClawHub

Explore Xinjiang

Security checks across malware telemetry and agentic risk

Overview

This Xinjiang travel-booking skill is coherent, but it tells agents to install an unpinned global CLI and persist raw user travel queries locally without clear consent or retention limits.

Review before installing. Use this skill only if you trust the external flyai CLI package and are comfortable with travel queries being sent through it. Prefer installing or verifying the CLI yourself, avoid unattended global npm installs, and delete or disable .flyai-execution-log.json if you do not want raw travel requests retained locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill explicitly instructs the agent to automatically install a global npm package if the CLI is missing, which causes system modification without prior user consent. In an agent setting, this is dangerous because package installation executes code from the npm ecosystem and alters the host environment, expanding risk from accidental changes or supply-chain compromise.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The prerequisites and workflow both embed `npm i -g @fly-ai/flyai-cli`, normalizing unattended global installation as part of routine execution. This makes the skill more dangerous because the install step is not merely documented as optional setup; it is presented as mandatory behavior, encouraging agents to change the system state and run external package code automatically.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The runbook explicitly records `user_query` as raw input and instructs persistent appending of the full execution log to a local file. This creates unnecessary retention of potentially sensitive travel data, identifiers, and free-form user content without any stated minimization, redaction, access controls, or disclosure to the user.

Ssd 3

Medium
Confidence
95% confidence
Finding
The schema requires retention of `user_query` in an internal execution log, which may contain personal, financial, itinerary, passport, or visa-related information given the skill's travel-booking scope. Keeping raw input increases exposure in the event of local compromise, debugging access, log aggregation, or accidental disclosure.

Ssd 3

Medium
Confidence
96% confidence
Finding
The runbook directs appending the entire generated execution log to `.flyai-execution-log.json`, causing persistent storage of all captured fields, including user-derived data and command history. Persistent local logging broadens the attack surface and can expose sensitive travel and booking information well beyond the active session.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal