ClawHub

Trip Planner CN

Security checks across malware telemetry and agentic risk

Overview

This trip-planning skill is instruction-only and uses travel/map lookups for its stated purpose, with privacy cautions but no hidden installation, persistence, or destructive behavior.

Install if you are comfortable using third-party travel and map services for trip planning. Avoid sending sensitive home, workplace, or exact travel-pattern details unless needed, and confirm before external lookups when the request is only a simple travel question.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are very broad and overlap with ordinary travel questions such as flight lookup, train lookup, and schedule planning. This can cause the skill to activate on loosely related requests and unnecessarily collect or transmit itinerary details to external travel connectors, increasing the risk of unintended tool use and data exposure.

Vague Triggers

Low
Confidence
80% confidence
Finding
The activation scenario is described in a general way and does not clearly distinguish when the skill should activate versus when the assistant should simply answer conversationally. Ambiguous scope can lead to over-activation and premature use of external tools, which is a security and privacy concern even if the skill logic itself is not malicious.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill states that it uses Ctrip connectors and optionally the Baidu Maps API, but it does not clearly warn users that their itinerary details may be sent to external services. In a travel-planning context, those details can include sensitive location, timing, and travel-pattern information, so lack of disclosure meaningfully increases privacy risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal