ClawHub
Back to skill

Security audit

Travel Planner

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Camino travel-planning API wrapper, but running it sends your itinerary locations to Camino.

Install this only if you are comfortable giving Camino an API key and sending waypoint coordinates, stop names, trip constraints, and route preferences to Camino's service. Use the single-skill install path unless you intentionally want the full Camino companion suite, and avoid including sensitive home, workplace, medical, or private-trip details unless you trust Camino's data handling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill sends highly precise waypoint and itinerary data to a third-party API, but the setup/usage text does not clearly warn users that sensitive travel plans and exact locations will leave the local environment. Travel itinerary data can reveal home/work patterns, routines, meetings, and other sensitive physical-world information.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script sends user-supplied itinerary data, including waypoint coordinates and trip details, to an external Camino API without any explicit user-facing disclosure at runtime. In a travel-planner context this transmission is functionally expected, but it is still a genuine privacy issue because sensitive location and movement data may be shared off-host without informed consent or minimization.

External Transmission

Medium
Category
Data Exfiltration
Content
fi

# Make API request
curl -s -X POST \
    -H "X-API-Key: $CAMINO_API_KEY" \
    -H "Content-Type: application/json" \
    -H "X-Client: claude-code-skill" \
Confidence
95% confidence
Finding
curl -s -X POST \ -H "X-API-Key: $CAMINO_API_KEY" \ -H "Content-Type: application/json" \ -H "X-Client: claude-code-skill" \ -d

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal