ClawHub

China Travel Planner

Security checks across malware telemetry and agentic risk

Overview

This is a real China travel-planning skill, but its optional publishing flow can change and push a GitHub Pages branch without enough safeguards.

Install only if you want both the travel planner and its page-generation tools. Use build/init in a dedicated workspace, review output paths before writing, and do not run deploy unless you are in a clean repository and have checked the target remote and files that will be staged.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill document instructs the agent to read local reference files, invoke multiple shell commands, write JSON/HTML artifacts, and access external network sources, yet no declared permissions are present. This creates a governance gap: the runtime may grant broad capabilities without explicit review, increasing the chance of unintended file modification, network exfiltration, or command execution beyond the user's travel-planning intent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The stated skill purpose is travel planning, but the instructions expand into local scripting, website generation, schema validation, image harvesting, and GitHub Pages deployment. This mismatch is dangerous because users and reviewers may authorize a benign planning tool while actually exposing a much broader operational surface that can write files, build artifacts, and publish content externally.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill adds a page-generation pipeline that creates project files, validates data, builds a static site, and produces distributable output, which is materially beyond itinerary assistance. Scope expansion like this increases attack surface and makes it easier to leverage a trusted travel-planning skill for filesystem changes and downstream content-generation tasks unrelated to the original user request.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
GitHub Pages deployment introduces publication and shell/git side effects that are not necessary for ordinary China travel planning. If misused, this could push generated content to a remote repository or public site, causing unauthorized publication, credential misuse, or accidental disclosure of local data embedded in generated artifacts.

Context-Inappropriate Capability

Low
Confidence
96% confidence
Finding
The page loads executable JavaScript from https://cdn.tailwindcss.com at runtime, which creates a supply-chain trust dependency on a third party outside the skill package. If the CDN response is compromised, blocked, or altered, arbitrary script would execute in the page context; this is not necessary for a static travel itinerary page and is made slightly more concerning because the page also fetches and renders external data into the DOM.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file implements static-site generation behavior that is unrelated to the skill's declared China travel-planning/search purpose. In agent environments, hidden or unnecessary file-generation capabilities expand the action surface and can be abused to write deployable content or artifacts outside the user's expected intent.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The deploy flow performs GitHub Pages publication through branch manipulation, commit, and push operations, which materially exceeds a travel-planning skill's stated function. In this context, undisclosed deployment capability is dangerous because it can publish content externally and mutate repositories in ways the user would not expect from a travel assistant.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Subprocess-driven git repository manipulation is context-inappropriate for a travel-planning skill and grants the skill the ability to alter branches, commit files, and push to remotes. Because the manifest suggests benign itinerary assistance, this mismatch makes the capability more dangerous: users and orchestrators may permit the skill under assumptions that do not match its real power.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The script accepts an arbitrary --output path and writes generated content there without restricting the destination. In an agent or automation context, this can overwrite files anywhere writable by the process, which exceeds the stated travel-planning purpose and can be abused for destructive file clobbering or planting crafted JSON into sensitive locations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The build command unconditionally deletes and recreates the dist directory, which can destroy prior build artifacts or user-placed files without a prominent warning. While limited to a subdirectory, silent deletion is unsafe behavior in CLI tooling and becomes more concerning when embedded in an agent skill the user may not fully inspect.

Missing User Warnings

High
Confidence
99% confidence
Finding
The deploy command switches branches, removes tracked files, stages changes, commits, and pushes without explicit confirmation or a destructive-operation warning. In an agent context, this can lead to accidental data loss, repository corruption, or unauthorized publication, especially because the skill's advertised purpose does not prepare users for source-control side effects.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The script derives a city identifier/name from user input and sends it to an external AMap endpoint, which shares user-influenced travel intent with a third party. In this travel-planning context the data is generally low sensitivity, but the request is made over HTTP, which increases privacy and integrity risk because the destination and response can be observed or modified in transit.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal