ClawHub

easytravelwithchild

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real family-travel planning skill, but it needs review because it profiles a child and sends family travel searches to third-party services without clear privacy controls.

Review before installing. Use it only when you are comfortable sending destination, dates, preferences, and child-related planning details to FlyAI/Fliggy-backed searches. Avoid providing unnecessary child attributes such as gender, prefer interest-based preferences, and consider using a separate/low-risk travel account or reviewing the FlyAI CLI before running searches.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README says the skill uses real-time travel search data and produces booking links, but it does not disclose what user inputs may be transmitted to third-party services, how long any data is retained, or what privacy expectations users should have. In a travel-planning skill, users may provide sensitive family details such as destination, dates, child age, and preferences, so lack of data-handling transparency creates meaningful privacy risk even if the README itself does not prove active misuse.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger scope is broad enough that the skill may activate during ordinary conversation about children’s outings, causing unintended tool use or unnecessary collection of child-related profile details such as age, gender, and personality type. Over-broad activation increases the chance of irrelevant invocation and privacy overreach, especially because the workflow mandates data collection before proceeding.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The 'When to Use' section uses vague phrases like family outings and parent-child travel without clear boundaries, which can cause accidental triggering in general chat. In this skill, that matters because activation leads into mandatory scripted searches and structured profiling of a child, making unintended invocation more privacy-sensitive than a harmless recommendation-only flow.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal