ClawHub

Atlas Travel Extras

Security checks across malware telemetry and agentic risk

Overview

This travel-planning skill is useful, but it should be reviewed because it encourages storing sensitive travel, identity, medical, insurance, device, and booking details in ordinary local Markdown files without enough privacy guidance.

Install only if you are comfortable managing the storage yourself. Use redacted values for passport, visa, policy, booking, device, and medical details; keep full identifiers in a password manager or encrypted notes; and confirm before the agent creates or updates any document files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list contains several generic phrases such as "visa," "documents," "weather," "accommodation," and "insurance" that can match many unrelated user requests and cause unintended activation. In a skill that stores and manages travel plans and document information, accidental invocation increases the chance of exposing, creating, or modifying sensitive personal travel data in the wrong context.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly handles passport validity, visas, insurance, bookings, confirmation numbers, and travel history, but it provides no warning that these files may contain sensitive personal information. Users may store high-value identity and itinerary data without understanding the privacy and security implications, increasing the risk of data exposure or unsafe retention.

Natural-Language Policy Violations

Low
Confidence
91% confidence
Finding
The file states a visa rule for only one nationality ('Not required for Germans') without qualification, which can mislead users of other nationalities into assuming the advice is broadly applicable. In a travel-assistant skill, visa guidance is safety- and compliance-relevant, so oversimplified nationality-specific advice can cause denied boarding, entry refusal, or disrupted travel plans.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This template instructs users to compile and keep accessible a large concentration of sensitive personal, medical, financial, identity, and device-recovery information, including insurance policy numbers, emergency contacts, document-copy checklist items, and device identifiers. In a travel context, where theft and loss are common risks, carrying or loosely storing this information can increase identity theft, account abuse, social engineering, and privacy harms if the card is found, photographed, or stolen.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The file explicitly structures storage of sensitive travel document data such as passport and visa numbers and expiry dates in plain Markdown files, but provides no privacy, minimization, access control, retention, or redaction guidance. In a personal travel assistant context, this creates a realistic risk of exposure of identity documents through local file compromise, sync services, backups, logs, or accidental sharing of the workspace.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal