ClawHub

SkedGo TripGo API

Security checks across malware telemetry and agentic risk

Overview

This is a coherent TripGo API wrapper that sends travel and location data to TripGo for expected routing, trip, webhook, and analytics features.

Install only if you are comfortable sending precise travel searches, coordinates, event timing, trip IDs, webhook destinations, and analytics events to TripGo. Configure TRIPGO_WEBHOOK_ALLOWLIST before using hooks, avoid unnecessary home/work labels or exact locations, and use analytics or saved-trip endpoints only when covered by your user consent and privacy policy.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation instructs users to send precise origin, destination, and itinerary parameters to a third-party API without any privacy or data-handling warning. This can lead to unintentional disclosure of sensitive location and travel-pattern data by integrators who may not realize the external transmission implications.

Missing User Warnings

High
Confidence
97% confidence
Finding
This section describes transmitting highly sensitive calendar events and habitual locations such as home, work, or hotel stays to an external service, but provides no warning about the privacy implications. Exposure of this data can reveal routines, presence patterns, and sensitive personal associations, materially increasing stalking, profiling, or surveillance risk if mishandled.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The webhook documentation tells users to register an arbitrary callback URL and states the platform will POST tripID and tripURL there, but it does not warn that trip-related data is being transmitted to an external endpoint under the user's control. This can lead to accidental disclosure of itinerary or user-linked trip information to third parties, especially if integrators use insecure or untrusted webhook destinations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The planned-trip endpoint is documented as being for analytics, but it does not clearly warn that calling it records user behavior about which trips were actually selected or taken. That omission creates a privacy risk because integrators may invoke it without adequately informing end users that their travel behavior is being tracked.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script sends highly sensitive user data including agenda items, timestamps, and precise locations to a third-party API, but it does not give an explicit privacy warning or require affirmative user acknowledgement before transmission. In this skill context, that data can reveal home/work locations and daily routines, so silent transmission meaningfully increases privacy and compliance risk even if the transmission is expected functionality.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script performs an irreversible DELETE request immediately using a user-supplied hook identifier, with no confirmation prompt, dry-run mode, or guardrails. In an agent or automation context, this increases the chance of accidental deletion of trip hooks due to operator error, bad input, or misuse of the script.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal