ClawHub

历史价格参谋

Security checks across malware telemetry and agentic risk

Overview

This travel price-advice skill is mostly coherent, but it asks the agent to install a global CLI and includes an unsafe TLS-bypass workaround before returning travel prices and booking links.

Review this skill before installing. Do not let it use sudo or automatically upgrade a global npm package unless you trust the FlyAI CLI source and understand the system-wide impact. Do not use the NODE_TLS_REJECT_UNAUTHORIZED=0 workaround; fix certificate or network issues instead. If you use personalization, review and periodically delete or edit the saved travel profile in memory or ~/.flyai/user-profile.md.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (13)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The document defines persistent cross-platform storage of a broad user travel profile for a skill whose stated purpose is price advice. That expands data collection beyond what is necessary for the skill’s function, increasing privacy risk and creating unnecessary retention of personal preference data.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The capability to write user travel profiles into Qoder Memory or local files enables persistent collection of personal data without a strong functional need for a price-advisor skill. Persistent writes create a durable privacy footprint that could be accessed later by other tools, sessions, or local users.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The file-mode schema stores extensive personal travel-profile data such as family composition, budget, past destinations, and special needs, much of which is not required to answer whether a current flight or hotel price is good. Collecting and retaining this broader dataset increases the harm from disclosure and violates data minimization principles.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The workflow requires users to install and run a global CLI before performing a price-advisory task, which unnecessarily expands the skill's capabilities into local system modification and command execution. This increases attack surface, creates supply-chain risk from external packages, and is not justified by the stated purpose of simply advising on travel prices.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The workflow instructs disabling TLS certificate verification with NODE_TLS_REJECT_UNAUTHORIZED=0, which defeats HTTPS security and permits man-in-the-middle interception or tampering of traffic. For a skill that fetches travel pricing and booking links, this can expose or alter search results, links, and potentially sensitive user data.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill is described as a price advisor, but the workflow extends into direct booking and reservation actions via jumpUrl links for flights, hotels, and POIs. This scope expansion increases the chance of unintended purchases, phishing-style redirection, or abuse of booking flows beyond the user's original request for analysis.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly states that it will remember users' price preferences and consultation history, but the visible markdown does not provide a clear privacy notice, data minimization policy, retention limit, or consent boundary. This can lead to collection and persistence of travel-related preference data without informed user consent, increasing privacy and profiling risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The startup flow instructs the skill to automatically read stored user profile data via memory search or a local file before clear upfront notice or consent. Silent access to persisted profile information expands the privacy impact because the skill may process sensitive travel habits or preferences without the user realizing that historical data is being loaded.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document instructs persistent storage of personal travel preferences but does not clearly warn that this creates privacy implications or that data may persist across sessions and platforms. Users and integrators may therefore enable storage without understanding retention, access scope, or downstream exposure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The local file storage section names a concrete disk path and provides write instructions without an explicit warning that personal data will be written to disk. This can lead to silent persistence on shared or insecure systems and makes accidental disclosure more likely.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow mandates unconditional global installation or upgrade of an npm package and suggests sudo when permissions fail, without warning about system-wide changes, package trust, or privilege escalation risks. This creates avoidable exposure to malicious or compromised packages and can impact the host environment beyond the skill itself.

Missing User Warnings

High
Confidence
99% confidence
Finding
The SSL workaround disables TLS verification without any warning about the security consequences, normalizing a dangerous troubleshooting step. Users may unknowingly operate in an insecure state where network attackers can intercept, manipulate, or spoof service responses.

Ssd 2

High
Confidence
98% confidence
Finding
The instruction presents disabling TLS verification as a normal plain-language fix, making unsafe execution more likely under routine troubleshooting conditions. Because the skill also relies on network-fetched prices and links, this creates a realistic path for tampered responses and malicious redirection.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal