ClawHub
Back to skill

Security audit

travel-agent

Security checks across malware telemetry and agentic risk

Overview

This travel skill mostly asks for capabilities that match its purpose, but it misrepresents generated travel data as live/search-backed and under-discloses stored/query/push data flows.

Review carefully before installing. Do not rely on its travel, weather, crowd, or sentiment outputs for real decisions unless the publisher replaces the mock/random data paths with sourced results. Avoid entering sensitive travel plans or business monitoring topics, and treat configured webhooks/API keys as sensitive because reports and queries may pass through third-party skills and messaging channels.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (15)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The README makes contradictory security claims about API key handling: one section says user API keys are encrypted-stored, while another says API keys are not stored at all. Misrepresenting secret handling is security-relevant because users and reviewers may make unsafe trust decisions based on false assurances, and operators may fail to apply appropriate key-rotation and storage controls.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The README claims user query data is not collected or uploaded, yet the documented architecture and features indicate requests are sent to third-party search and LLM services. This is dangerous because it can mislead users about data exposure boundaries, causing them to submit sensitive travel plans, preferences, or credentials under false privacy expectations.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The method invokes an external search skill for weather data but discards the returned content and fabricates random forecasts. In a travel-planning orchestrator, presenting invented weather as if it were queried data is a data integrity flaw that can mislead users into unsafe or costly decisions.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The attraction search routine claims to fetch city-specific attractions but returns a hard-coded Beijing-centric list regardless of the query or external results. This creates deceptive output and can cause incorrect recommendations, bookings, or trust erosion in downstream reports.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The sentiment analysis path performs external searches but then generates random sentiment rates and complaint points instead of analyzing results. In a monitoring/reporting skill, fabricated sentiment can drive bad operational decisions and spread false conclusions to users or stakeholders.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The transportation search method ignores provider output and returns fixed sample transportation details, some of which are city-specific and may be wrong. Users relying on this information could make travel plans based on inaccurate logistics, creating safety and reliability concerns.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The weather query function presents itself as a live query but returns randomly generated conditions unrelated to the external result. Because weather affects travel safety and planning, this is a meaningful integrity issue rather than a harmless placeholder.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The module is presented as a user preference manager, but it also stores detailed per-user query history and activity statistics. This mismatch can undermine informed consent and privacy expectations, especially because commands and arguments may contain sensitive travel plans or personal data that are retained locally.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The changelog explicitly states that user behavior and preference data are collected for product optimization, but provides no indication of consent, notice, retention limits, or user controls. In a skill context, silent telemetry and profiling can expose sensitive usage patterns and create privacy/compliance risk even if no direct code is shown here.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly supports scheduled delivery of reports to Feishu and DingTalk webhooks, but the documentation does not warn users that generated reports may contain sensitive travel, business monitoring, or usage data that will be transmitted to third-party services. This creates a real risk of unintended data disclosure, especially in enterprise or market-monitoring use cases where reports may include non-public operational information.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code forwards API credentials to another skill invocation, expanding the trust boundary and increasing exposure risk if that downstream skill logs, stores, or mishandles secrets. Even though the log masks the key, the actual credential transmission still occurs and is not minimized.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
User-derived queries about travel plans and sentiment are sent to external search engines without any visible disclosure or consent handling in this code path. While this is expected functionality for a search-based orchestrator, it still creates a privacy/transparency issue because user interests, dates, and locations may be shared externally.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The scheduled push feature sends reports, user identifiers, and possibly email addresses to third-party messaging/email skills without visible disclosure or content minimization in this file. If reports contain sensitive travel preferences or monitoring results, this broadens data exposure across external channels.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The manifest exposes scheduled push delivery to Feishu and DingTalk webhooks but does not present any user-facing warning about what report content may be transmitted, stored, or shared with third-party services. Because scheduled reports may include user queries, travel plans, preferences, or generated analysis, this creates a real privacy and data-sharing risk, especially when delivery is automated and recurring.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code persistently writes user preferences, full command history, arguments, timestamps, and success status to a local SQLite database without any visible notice, consent, retention limit, or protection in this file. If the host is shared or compromised, this data can expose sensitive behavioral patterns and potentially personal information derived from commands and arguments.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal