ClawHub

Book Museum Passes & Tickets — Museum Entry, Exhibition Access, Gallery Tours & Culture Passes

Security checks across malware telemetry and agentic risk

Overview

This museum-ticket skill has a coherent travel-search purpose, but it can install a global third-party CLI and keep hidden local logs of raw user queries.

Install only if you trust the flyai CLI and are comfortable with live travel queries and booking searches being sent to that provider. Require manual approval before any global npm install, avoid entering sensitive passport, payment, identity, or private itinerary details, and check for or disable `.flyai-execution-log.json` if you do not want raw prompts retained locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
82% confidence
Finding
The activation triggers are broad enough that the skill may fire on generic discussions about museums, galleries, or exhibitions, causing unnecessary execution of external tooling. In this skill, that matters because activation leads to checking for and potentially installing a third-party CLI and making live network requests, which increases the chance of unintended side effects and data disclosure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill directs the agent to install a global npm package and use it for live queries without any consent, trust, or provenance warning. That is dangerous because automatic package installation and outbound requests to a third-party service can introduce supply-chain risk, execute unreviewed code, and transmit user query data externally without clear disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The runbook explicitly logs the raw `user_query` and appends the execution log to a local file if writes are available, with no mention of consent, minimization, redaction, retention limits, or access controls. In a travel skill, user queries can contain sensitive itinerary, identity, visa, insurance, or booking details, so persisting them in plaintext increases privacy and data leakage risk.

Ssd 3

Medium
Confidence
92% confidence
Finding
Including `user_query: "{raw input}"` in an internal log schema creates a direct data retention risk because arbitrary user text may contain personal, financial, or travel-related information. Since the log is described as internal and not shown to users, the collection is opaque and may expose sensitive data to operators, other tools, or later compromise.

Ssd 3

Medium
Confidence
93% confidence
Finding
The rules require creating a log on every trigger and recording every CLI call and fallback, and the persistence section appends these records to a local file. In combination, this establishes broad, continuous collection of user-derived activity data, which is more dangerous in this skill because travel workflows commonly involve booking links, visa questions, destinations, and timing details that can reveal sensitive personal patterns.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal