ClawHub

TravelHound

Security checks across malware telemetry and agentic risk

Overview

TravelHound does what it says: it helps compare travel prices by guiding the agent to booking and travel sites, with no hidden credential use, persistence, or destructive behavior found.

Install only if you are comfortable with your destination, dates, guest count, budget, and route being used in searches on booking and travel sites. Consider narrowing or confirming activation before runs because some triggers are broad, and review CouponClaw/NewsToday separately since TravelHound may ask the agent to invoke them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger list contains very generic phrases such as "hotel in...", "trip to...", "travel to...", and multilingual equivalents that can easily match normal conversation outside a clear invocation context. This can cause unintended activation, leading users to disclose itinerary, dates, origin cities, and budget details to the skill and its downstream services without clear intent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill states that it uses live pricing from numerous third-party travel sites and related services, but it does not clearly warn users that their travel searches may be transmitted to multiple external platforms. Travel queries often include sensitive contextual data such as destinations, dates, family size, and budget, so silent sharing increases privacy and profiling risk.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list contains broad, common travel terms such as "travel," "hotel," and "vacation," which can cause the skill to activate in many ordinary user conversations that are not specifically requesting this tool. Overbroad activation increases the chance of unintended invocation, prompt hijacking opportunities through irrelevant contexts, and user confusion about why the agent selected this skill.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal