ClawHub

携程机票助手 - ctrip flight

Security checks across malware telemetry and agentic risk

Overview

This Ctrip flight-search skill mostly matches its stated purpose, but it weakens HTTPS protection and stores/transmits tracking-style identifiers, so users should review it before installing.

Install only if you are comfortable sending route/date queries and generated Ctrip identifiers to Ctrip. Avoid using this version on untrusted networks until HTTPS certificate verification is fixed, and prefer an update that removes the TLS bypass, documents or limits the cookie cache, narrows triggers, and pins dependencies.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill clearly performs network access, reads bundled files, and likely writes output, yet it declares no permissions or capability boundaries. This is dangerous because users and hosting systems cannot accurately assess what the skill is allowed to do, reducing transparency and making unintended data access or exfiltration harder to detect.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
This obfuscated module does substantially more than flight search: it inspects browser and runtime properties, enumerates window/document fields, checks automation indicators such as webdriver, plugin behavior, canvas/WebGL/audio capabilities, cookies, timezone, and client identifiers, then folds them into a generated signature. In a flight-search skill, this is not necessary for core functionality and creates a covert fingerprinting/bot-detection surface that can track users or discriminate against automated access without transparency.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The code retrieves cookie values and tracking identifiers, including client IDs from browser/global objects or injected environments, combines them with browser state, and derives a request signature. That exceeds the stated flight-search purpose and enables persistent correlation of user activity across sessions or environments, especially because the implementation is intentionally obfuscated.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger phrases are broad enough to match ordinary travel conversation, which can cause the skill to activate unexpectedly. In this skill's context, accidental activation is more concerning because it can send user itinerary details to a third party and invoke reverse-engineered API logic without clear user awareness.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The description omits that user travel queries are transmitted to Ctrip and that access relies on reverse-engineered anti-crawl mechanisms, including generated headers and scraped cookies. This lack of disclosure undermines informed consent and creates legal, privacy, and platform-risk exposure, especially if users do not expect third-party sharing or nonstandard API access.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The module gathers multiple fingerprinting signals and identifier sources without any visible notice, consent flow, or justification in the file. In the context of a consumer flight-search skill, silent collection of device/browser characteristics and IDs raises privacy and compliance risk and makes misuse harder to detect because the code is obfuscated.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script globally disables TLS certificate validation by setting check_hostname=False and verify_mode=ssl.CERT_NONE, then uses that context for all HTTPS requests. This allows a man-in-the-middle attacker to intercept or modify responses from Ctrip endpoints, potentially feeding false flight/pricing data or manipulating cookies and request flows without detection.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal