ClawHub

Create Packing Lists — Trip Packing Checklist, Luggage Essentials, Travel Gear & What to Pack

Security checks across malware telemetry and agentic risk

Overview

This packing-list skill needs Review because it pushes users into a travel-commerce CLI workflow with automatic global installation, booking links, and local raw-query logging.

Install only if you are comfortable with a travel-commerce workflow that may install a global npm package, send travel queries to flyai/Fliggy-powered services, include booking links, and keep local execution logs. Avoid entering sensitive itinerary, identity, visa, or booking details unless the publisher adds clear consent, redaction, and retention controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill is advertised as a simple packing-list helper, but its description expands into flight booking, hotels, tickets, visas, insurance, and car rental. This scope expansion can cause an agent to invoke the skill in situations far beyond the user's apparent request, increasing the chance of unintended commerce actions, over-collection of travel data, or inappropriate tool use.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The file says every answer must come from flyai CLI output and include booking links, yet later embeds domain knowledge for packing advice that is not CLI-derived. This contradiction creates prompt ambiguity that can lead an agent to mix tool output with embedded instructions, undermining provenance guarantees and making it easier to smuggle non-verified content into responses.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The template includes booking flows, pricing tables, booking links, and CLI-based 'real-time data' behaviors that materially expand the skill beyond its stated packing-list purpose. This scope drift can mislead downstream agents into invoking travel-purchase style actions or presenting transactional content without clear authorization, increasing the risk of unsafe tool use, user confusion, and policy bypass around commerce-related operations.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation phrases are broad enough to match ordinary travel conversation, so the skill may trigger when a user is casually asking for advice rather than requesting external search or booking-oriented behavior. In context, that is more dangerous because the skill pushes mandatory CLI execution and booking-link output, causing unnecessary tool invocation and possible exposure of user queries to a third-party service.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill directs the agent to automatically install a global npm package if the CLI is missing, without prior user approval or a safety disclosure. Installing software modifies the host environment and executes code from an external registry, which is a significant supply-chain and environment-integrity risk in an agent setting.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The prerequisites and environment-check steps repeat the instruction to run a global npm install, normalizing unattended dependency installation as part of routine execution. In the context of an agent skill, this makes the issue more dangerous because activation can lead directly to system changes and remote code execution pathways without a clear trust boundary or informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The runbook explicitly records `user_query` as raw input and persists the execution log to a local file, creating unnecessary retention of potentially sensitive personal or travel-related data. In this skill's context, users may provide destinations, dates, visa status, booking details, and other personal information, so silent logging increases privacy and data exposure risk if logs are accessed, mishandled, or retained too long.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal