ClawHub

反向穷游

Security checks across malware telemetry and agentic risk

Overview

This budget-travel skill has a coherent travel purpose, but it asks for risky setup and network behavior that users should review before installing.

Install only if you are comfortable with a travel assistant using external FlyAI search services and retaining travel preferences. Do not let it automatically run global `npm`, `sudo`, or TLS-disabling commands; prefer a pinned user-level CLI setup, keep normal certificate checks enabled, and save only profile details you are comfortable storing persistently.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill instructs persistent storage and reuse of user travel preferences and history across sessions, which exceeds what is strictly necessary for a one-shot reverse-budget travel recommendation flow. This creates avoidable privacy and data-retention risk, especially if preferences, companion details, departure city, and historical plans are stored without clear consent, minimization, or retention limits.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The documented fallback to read and update a local profile file (`~/.flyai/user-profile.md`) introduces filesystem access unrelated to core travel search functionality and can expose locally stored personal data. Local file reads/writes significantly widen the skill's trust boundary and may disclose or overwrite sensitive information if misused or if the file contains more than expected.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
Claims of being able to 'autonomously learn' and 'continuously grow' signal open-ended behavior beyond the narrowly scoped manifest purpose of budget travel planning. While this line alone is not an exploit, it encourages capability expansion and can normalize unsandboxed memory accumulation or behavior drift over time.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This reference documents a Marriott hotel search capability that is materially outside the stated purpose of a reverse-budget travel-planning skill. Capability/intent mismatch is dangerous because it can hide undeclared functionality, expand the skill’s operational scope, and cause downstream agents or reviewers to trust and invoke actions they did not expect from the manifest.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The document introduces persistent collection and cross-platform storage of a user travel profile that goes beyond the skill's visible purpose of answering one-off reverse-budget trip queries. This expands the data lifecycle and sensitivity surface without a clear necessity, increasing privacy risk and the chance of unintended retention or reuse of personal data.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The capability to create or update persistent memory is documented as a normal behavior, but the skill metadata describes a budget-trip recommendation assistant rather than a profile-management system. Allowing writes to persistent stores without strong justification or explicit user consent can lead to silent accumulation of personal preferences across sessions.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The file-mode guidance includes creating a local directory and updating a profile file under the user's home directory, which is a persistent side effect unrelated to the manifest's apparent scope. Writing plaintext profile data to disk can expose personal information to other local processes, users, backups, or later unintended access.

Context-Inappropriate Capability

Low
Confidence
81% confidence
Finding
The standardized schema collects broad preference and history fields such as family composition, past destinations, and accommodation preferences, which exceed the minimum inputs described for the reverse-budget feature. Excessive data collection increases privacy exposure and creates risk if the stored profile is later accessed or reused beyond the original request.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The workflow explicitly prepends NODE_TLS_REJECT_UNAUTHORIZED=0 to all FlyAI network searches, disabling certificate validation for flight, hotel, POI, and keyword-search requests. In a travel-planning skill this is unnecessary and materially increases exposure to man-in-the-middle attacks, data tampering, and delivery of falsified travel results over untrusted networks.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill says it will read, remember, and update user preferences in real time, but it does not present an upfront privacy warning or consent mechanism before handling this personal data. This is risky because travel preferences and history can reveal sensitive patterns about location, habits, companions, and future plans.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The fallback behavior to read a local profile file is described without warning the user that local filesystem data may be accessed. Even if intended for convenience, undisclosed access to a home-directory file is a significant privacy issue because users may not expect the skill to inspect local storage.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documentation explicitly states it will remember user parameters, learn preference patterns, and accumulate past cases, but it provides no notice, consent mechanism, retention limit, or data handling constraints. In a travel-planning context, these preferences can reveal location, budget, habits, and behavioral patterns, creating privacy and profiling risk if stored or reused without user awareness.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The skill claims it will proactively provide information and predict user needs, but it does not warn users that behavior may be driven by inference rather than explicit requests. This can lead to unexpected personalization, over-collection of contextual signals, or user manipulation concerns, especially when paired with the stated self-learning features.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guidance instructs the agent to store personal travel-profile information in a local plaintext file but does not clearly warn the user that their data will be written to disk persistently and unencrypted. This undermines informed consent and can lead to unexpected privacy leakage through local access, synchronization, or backups.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs users to perform a global npm install and even suggests a sudo variant without warning about system-wide modification, package trust, or elevated-privilege risk. This creates avoidable supply-chain and privilege-escalation exposure, especially because the install is framed as mandatory before use.

Missing User Warnings

High
Confidence
99% confidence
Finding
The workflow recommends disabling TLS certificate verification for multiple networked commands and provides no warning that this defeats core transport security. Because the commands retrieve externally sourced travel data, an attacker on the network path could intercept or alter responses and mislead users or downstream automation.

Ssd 3

Medium
Confidence
90% confidence
Finding
Persisting user preferences and history across sessions creates a data retention surface that can leak through prompts, logs, or future responses, especially when natural-language memories are loosely structured. In a travel context, retained details may include departure cities, budgets, companions, and preferences that together form a meaningful personal profile.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal