ClawHub

Personal Travel

Security checks across malware telemetry and agentic risk

Overview

This is a simple travel assistant skill that stores travel notes and document dates in a disclosed workspace file.

Install this only if you want a persistent travel memory. Keep stored document details minimal, such as expiry dates and visa status, and avoid saving full passport numbers, scans, or insurance credentials in the workspace file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly says sensitive travel-related data, including passport, visas, insurance, and trip history, is stored in a workspace file, but it does not warn users about persistence, local exposure, or access boundaries. In a travel assistant context this increases privacy risk because the data can include identity and document details that may be retained longer than users expect and exposed through backups, logs, sync, or other workspace access.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list is overly broad for a personal-memory skill and includes generic travel-related terms such as 'city' and 'country' that can appear in many ordinary conversations. This can cause unintended invocation of the skill and unnecessary access to or modification of personal travel memory, increasing privacy and data-integrity risk in contexts where the user did not explicitly request travel assistance.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill directs the agent to store and update highly sensitive personal data, including passport validity, visas, and insurance details, in a persistent knowledge file without any consent flow, minimization guidance, or warning to the user. In a personal assistant context this is especially risky because the skill is explicitly designed to retain long-term memory, so accidental over-collection or exposure of identity and travel-document data becomes more likely.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal