ClawHub

Tonight Hotel

Security checks across malware telemetry and agentic risk

Overview

This hotel-search skill is coherent, but it asks agents to install a global npm CLI and keep raw travel-query logs without clear user approval or retention controls.

Review before installing. Use this skill only if you are comfortable installing `@fly-ai/flyai-cli` from npm and sending travel-search details to flyai/Fliggy. Ask your agent to confirm before any install, prefer a pinned or manually reviewed CLI setup, and disable or delete `.flyai-execution-log.json` if you do not want raw travel queries retained locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to run `npm i -g @fly-ai/flyai-cli` automatically, which modifies the host environment without explicit user consent or a warning. In an agent context, this is dangerous because it can trigger unreviewed code installation from a package registry, expanding the attack surface and potentially enabling supply-chain compromise or unintended system changes.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The fallback path explicitly tells the agent to install a global package if `flyai` is missing, again without prior approval or any safety prompt. Because this occurs in an error-recovery branch, an agent may execute it automatically, making silent environment modification more likely and increasing risk from malicious or compromised dependencies.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The runbook explicitly records raw user input in an internal execution log and describes persistent storage to a local file, but provides no notice, minimization, retention limit, or redaction guidance. In a travel-booking skill, user queries can contain names, dates, destinations, booking details, contact data, or other sensitive travel information, so retaining raw prompts increases privacy and data-exposure risk.

Ssd 3

Medium
Confidence
96% confidence
Finding
The schema includes `"user_query": "{raw input}"`, which instructs the agent to persist the user's full unfiltered input. Raw prompts frequently contain secrets or personal data, and storing them verbatim creates unnecessary sensitive-data retention that could be exposed through local access, debugging artifacts, or later log reuse.

Ssd 3

Medium
Confidence
97% confidence
Finding
The runbook directs appending execution logs to `.flyai-execution-log.json`, creating an accumulating local record of user interactions and commands. Persistent append-only logs increase the blast radius of any host compromise or accidental file disclosure, especially because this travel skill may process urgent booking requests containing personal itinerary and payment-adjacent details.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal