southeast-asia-arrival-card
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (unicode-control-chars); human review is required before treating this skill as clean.
This skill appears safe to use for travel-form guidance, but do not upload passport, ticket, or hotel documents unless you are comfortable sharing them with the assistant. Verify all extracted information and personally approve any official government-form submission. ClawScan detected prompt-injection indicators (unicode-control-chars), so this skill requires review even though the model response was benign.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Passport numbers, names, dates of birth, travel plans, hotel addresses, email addresses, and phone numbers may be visible to the assistant during the task.
The skill intentionally extracts passport/MRZ, ticket, and hotel data into the agent conversation context so it can help fill travel forms.
使用 `read_image` 工具读取护照照片...提取护照信息页上部的个人信息...识别底部 MRZ
Only upload documents when needed, verify extracted fields before use, avoid sharing unnecessary pages, and rely on the platform’s privacy controls for deletion or retention.
If automated or copied into a real script, incorrect data could be submitted to an official government travel system and may affect entry processing.
The automation framework describes browser-style workflows that could fill, verify, and save official arrival-card submissions.
await this.navigateToWebsite() ... await this.fillMalaysia() ... await this.handleEmailVerification() ... await this.saveConfirmation()
Treat automation as optional guidance only; review every field and require explicit user approval before any official form is submitted.
Users may over-trust the skill’s privacy wording when deciding whether to upload sensitive passport or travel documents.
The skill makes privacy and deletion assurances, but the provided artifacts are instruction-only and do not include implementation evidence for those guarantees.
不保存原始文档...处理完成后删除临时数据...符合隐私保护法规
Check the hosting platform’s actual data retention and privacy policy rather than relying only on the skill text.