ClawHub
Back to skill

Security audit

智能旅游规划师

Security checks across malware telemetry and agentic risk

Overview

This is a coherent travel-planning skill, but users should understand that live searches and image generation may share trip details with external services.

Install only if you are comfortable with the agent using web searches and SEEDREAM-style image generation for travel planning. Avoid sharing unnecessary sensitive details such as exact home address, passport data, private medical information, or full booking confirmations unless required.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger condition covers essentially any request that resembles travel planning, without clear boundaries for when the skill should activate or defer. Overbroad activation can cause the agent to engage unexpectedly, collect unnecessary personal trip details, or override more appropriate skills or safety checks in adjacent contexts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill mandates network retrieval of real-time travel, weather, policy, and safety data before planning, but does not require informing the user that external services will be queried. This creates a privacy and transparency problem because destination, travel timing, and potentially sensitive travel context may be disclosed to third parties without explicit notice or consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill requires calling SEEDREAM after generating an itinerary, but it does not warn the user that itinerary content may be transmitted to an external image-generation service. Travel plans can reveal sensitive personal information such as destinations, dates, family composition, accessibility needs, and preferences, so silent third-party sharing is risky.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal