ClawHub

Travel Assistant

Security checks across malware telemetry and agentic risk

Overview

This is a prompt-only travel planning skill whose web searches are expected for its stated purpose, though users should be mindful that travel details may be sent to search providers.

Install only if you are comfortable with a travel assistant using web search for current weather, visa, safety, and destination information. Avoid entering passport numbers, full booking confirmations, home address, or other unnecessary personal details, and ask it to use general search terms when possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly promotes real-time weather/network queries and recommends using an external API, but it does not disclose that destination, dates, and other itinerary details may be sent to third-party services. In a travel-planning context, these details can reveal sensitive location patterns and future absence from home, so silent transmission creates a meaningful privacy risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill states it will query external sources for local laws, safety conditions, and embassy information without warning that user travel plans and destination context may be shared over the network. Because the skill is framed as a proactive assistant, users may provide detailed personal travel data and not realize it is being transmitted externally.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The prompt instructs the assistant to use web_search to look up destination-specific requirements and conditions after collecting detailed itinerary information, but it does not constrain what user data may be included in those searches or warn that external services may receive it. In a travel-planning context, this can expose sensitive personal travel details such as destinations, dates, family composition, and possibly booking information to third-party providers unnecessarily.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal