ClawHub

行程体检

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real travel-itinerary checker, but it asks the agent to make broad system and network-security changes that users should review before installing.

Install only if you trust the FlyAI CLI and are comfortable with a global npm package. Prefer a pinned, local, non-sudo install; do not allow TLS verification to be disabled. Review or opt out of saved travel profiles, redact sensitive order/payment/passport data, and treat Feizhu booking links as third-party purchase handoffs whose prices and terms must be verified independently.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (21)

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The skill requires a global npm install/upgrade of a CLI before doing itinerary checks, which introduces unnecessary system modification and arbitrary third-party code execution risk. This is especially dangerous because the install is framed as mandatory and unrelated to the minimal task of analyzing a provided itinerary, expanding the skill from analysis into host-environment mutation.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
The skill explicitly instructs disabling TLS certificate verification via NODE_TLS_REJECT_UNAUTHORIZED=0, which allows man-in-the-middle interception and tampering of supposedly secure network traffic. In a travel workflow that may process itinerary details, prices, and links, this can expose user data and enable falsified search results or malicious redirection.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The workflow expands from one-time itinerary checking into reading persistent user-profile data and using historical preferences, which exceeds the stated report-generation purpose. This broadening increases privacy exposure and creates unnecessary access to retained personal data without a strong task-bound justification.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The example output goes beyond itinerary checking and includes direct booking links and conversion-oriented calls to action. This is dangerous because a validation skill may steer users into third-party transactions without clear scope boundaries, consent flow, or safety disclosures, increasing the risk of unintended purchases or affiliate-style redirection.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill includes explicit purchase pathways for flights, hotels, and tickets, which materially changes it from an advisory checker into a commerce funnel. That mismatch is risky because users may trust the assistant's neutral diagnosis while being pushed toward third-party purchases that may involve tracking, affiliate incentives, or unvetted booking destinations.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The referenced file documents an AI semantic search capability, while the skill manifest describes an itinerary-checking and diagnostic function. This mismatch can cause the agent to invoke a broader search tool under the guise of a narrower validation skill, increasing the chance of unexpected behavior, incorrect data handling, or user trust violations because the actual capability does not align with the declared purpose.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The guidance explicitly instructs operators to disable TLS certificate verification by setting NODE_TLS_REJECT_UNAUTHORIZED=0. That defeats server identity validation and allows man-in-the-middle interception or tampering with any HTTPS traffic used by the skill, which is especially risky if itinerary, account, or pricing data is fetched from external services.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This document introduces persistent user-profile storage and retrieval as a standard capability even though the skill is described as a trip-checking/itinerary-diagnosis tool, not a profile-management assistant. Collecting and persisting travel preferences, household details, and history expands data access beyond what is necessary for the stated purpose, creating unnecessary privacy and data-retention risk.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The file explicitly instructs non-Qoder environments to create, read, and update a local file under ~/.flyai/, which gives the skill durable access to user data outside the immediate session. For a trip-checking skill, writing into the user's home directory is an overbroad persistence mechanism that can expose personal travel, family, and budget information to other local processes or future unintended uses.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill directs the agent to make system-wide changes by globally installing/upgrading software, but provides no explicit warning that this modifies the host environment. Even if the package were legitimate, silent system mutation violates safe execution expectations and can create persistence and supply-chain exposure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The suggestion to use sudo elevates the action from ordinary installation to privileged system modification, increasing the blast radius of any mistake or malicious package behavior. Recommending privilege escalation without strong safeguards is unsafe, especially for a travel-analysis skill that should not need administrative access.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill instructs reading persistent user profile data without a clear privacy notice or consent mechanism in the workflow text. Accessing stored personal preferences for convenience can still expose unnecessary personal data and normalize silent retrieval of historical information.

Missing User Warnings

High
Confidence
99% confidence
Finding
Telling the agent to disable TLS verification without a strong warning normalizes a dangerous insecure default that undermines transport security. This can let attackers intercept results, inject malicious content, or redirect bookings while the user and agent believe the connection is secure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Immediate external booking links are presented without warning that the user is leaving the assistant context or interacting with a third-party service. This can mislead users about who is handling the transaction and what protections apply, creating phishing, privacy, and trust-boundary risks.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The content recommends canceling and rebooking flights based on price comparison without a robust warning to verify refundability, change fees, fare conditions, and timing constraints. This is dangerous because users can suffer direct financial loss or lose itinerary protections by acting on oversimplified advice.

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
The output template hard-codes Chinese as the response language without any indication that this should depend on the user's language or explicit preference. This can cause poor UX, misunderstanding, and accessibility issues for users who interact in another language, especially in a travel-planning context where dates, bookings, and risks must be clearly understood.

Natural-Language Policy Violations

High
Confidence
100% confidence
Finding
This is a direct mandate to bypass SSL verification via NODE_TLS_REJECT_UNAUTHORIZED=0, which disables a core HTTPS security control process-wide in Node.js. An attacker on the network path could spoof upstream services, inject false travel data, or capture sensitive user inputs without being detected.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document describes persistent local storage of sensitive profile attributes such as residence city, airport, budget, family composition, and travel history, but it does not provide a clear privacy warning, retention policy, access scope, or deletion guidance. That omission increases the chance that users and integrators will store personal data without understanding the risks or implementing appropriate safeguards.

Ssd 3

Medium
Confidence
86% confidence
Finding
The skill encourages retrieving and using natural-language profile data tied to user travel preferences, which increases the risk of over-collection and unintended disclosure. Because the data is semantically rich and persistent, leakage or misuse can reveal behavioral patterns beyond what is needed for a single itinerary check.

Ssd 3

Medium
Confidence
87% confidence
Finding
The memory design explicitly records user preferences, destination knowledge, and optimization feedback over time, creating a persistent repository of personal and behavioral data. This exceeds immediate task needs and raises privacy and secondary-use risks if the data is exposed, reused broadly, or retained indefinitely.

Ssd 3

Low
Confidence
75% confidence
Finding
Prompting to save newly discovered preferences does introduce additional data retention risk, but the explicit prompt makes it less severe than silent collection. The concern is still real because repeated prompts can normalize accumulating personal data beyond the current task.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal