ClawHub
Back to skill

Security audit

Travel Companion

Security checks across malware telemetry and agentic risk

Overview

This travel-planning skill is clear about using Aizzie to create saved, shareable itineraries, but users should understand that trip details may leave the chat and persist on a third-party service.

Install this only if you are comfortable using Aizzie for travel planning and having itinerary details stored outside the chat. Before creating real trips, confirm that saving or sharing is intended, and avoid entering sensitive lodging, timing, companion, or absence-from-home details unless you want them handled by the external service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill's activation guidance is intentionally expansive, covering both explicit and implicit travel-related mentions. This can cause the skill to trigger in conversations where the user did not clearly ask to use an external travel platform, increasing the chance of unexpected tool use or premature collection/storage of trip-related information. In this context, the danger is amplified because the skill creates persistent, shareable itineraries on a third-party service.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill repeatedly emphasizes that trips are persistent, accessible on any device, and shareable/collaborative, but it does not require explicit user consent or a privacy warning before storing itinerary details on aizzie.ai. Users may disclose sensitive travel plans, lodging, timing, and companion information without realizing that the data will be retained and potentially exposed to collaborators via share links. The travel-planning context makes this more sensitive because itinerary data can reveal future location patterns and absence from home.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.