ClawHub

Paradiz

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real booking assistant, but it needs review because it stores and forwards guest personal data and has broader booking/database powers than its short description suggests.

Install only if you want a booking/CRM workflow, not just a VK price calculator. Remove bundled customer data, use dedicated Paradiz Telegram credentials, disable global Telegram fallback, add guest privacy/consent language, define retention and deletion rules for bookings/holds/leads/comments, and restrict database maintenance scripts to an explicit admin workflow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (17)

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The skill is described as using an Excel/CSV price source, but it also mandates persistent guest records, booking journals, and customer tags. This is dangerous because personal-data collection and retention are materially different from ephemeral price calculation and require stronger disclosure, controls, and retention rules.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill is described as using an Excel/CSV price source, but it also mandates persistent guest records, booking journals, and customer tags. This is dangerous because personal-data collection and retention are materially different from ephemeral price calculation and require stronger disclosure, controls, and retention rules.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The skill includes follow-up, review solicitation, seasonal campaigns, and VIP targeting unrelated to the stated quote-calculation purpose. These retention and marketing workflows create privacy and compliance risk because they enable profiling and unsolicited outreach without clear disclosure or consent in the skill definition.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Telegram notification workflows are extraneous to simply calculating and sending a VK quote, yet they involve transmitting booking and customer details to another channel. This increases exposure of personal data and expands the attack surface through third-party messaging infrastructure.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The script implements booking-hold creation, replacement, expiration, and listing while collecting and persisting client contact and stay details. That materially exceeds the declared skill purpose of answering VK pricing questions from an Excel price list, creating an undeclared data-handling and state-changing capability that could surprise operators and users and increase privacy/compliance risk.

Description-Behavior Mismatch

High
Confidence
90% confidence
Finding
The file writes persistent JSONL records to disk and mutates them later, introducing durable storage of customer booking information despite the skill being described as a lightweight pricing responder. Hidden persistence broadens attack surface, raises data minimization concerns, and can enable unauthorized retention or later misuse of personal data.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The script performs materially broader actions than the skill description suggests: it persists booking records, stores PII, generates booking documents, and can notify Telegram. That mismatch is dangerous because operators may grant or invoke the skill expecting only VK price quoting, while it actually creates durable records and triggers side effects involving customer data.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Telegram transmission is unrelated to the advertised purpose of generating short VK pricing replies, yet the code includes outbound messaging capability. Hidden or undocumented outbound channels increase risk because customer booking details can be sent off-platform without the operator expecting that behavior.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code reads a local platform configuration file to recover Telegram bot credentials and chat identifiers, which exceeds the narrow price-calculation role. Accessing broader platform secrets from within a skill increases blast radius: a simple quoting tool gains access to communication credentials and can send data externally.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
Generating booking documents from local templates is a side effect outside the stated VK pricing-response function. This creates undocumented handling of customer data and filesystem writes, making the skill more powerful and riskier than users or administrators would expect from its manifest.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script performs privileged state-changing operations on a local SQLite database, including DELETE, UPDATE, and INSERT statements over pricing data, even though the skill is described as answering customers based on a price sheet. In this context, the code expands the skill from read-only quote generation into an administrative data-synchronization tool, so malformed or unintended CSV input can overwrite or remove tariff records and corrupt business data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs collection and transmission of full name, phone, email, dates, and related booking details without any visible privacy notice or consent mechanism in the skill description. This is dangerous because users may disclose sensitive personal data without understanding that it will be retained and forwarded to managers/Telegram.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill silently stores booking data in local text files, JSONL, document files, and databases, but does not disclose this persistence to users. Undisclosed retention is dangerous because it increases the chance of privacy violations, unauthorized reuse of data, and insecure local storage of customer records.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Telegram message includes guest name, phone, email, stay dates, and payment information, and the script sends it without any explicit user-facing disclosure at the transmission point. This creates a privacy and compliance risk because sensitive booking data is exported to a third-party messaging service without clear consent or minimization.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The script silently sources Telegram credentials from a local config file if environment variables are absent. While this is not direct credential exfiltration by itself, it obscures secret usage and can cause operators to unknowingly enable outbound messaging from a skill that appears unrelated to Telegram.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill requires persistent logging and retransmission of customer-provided personal data and comments across multiple files and Telegram notifications. This broad duplication of PII is dangerous because every additional copy increases breach risk, makes access control harder, and may propagate sensitive free-text comments beyond their original purpose.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill directs creation of customer profiling tags and reuse of those tags for future personalized outreach. Profiling is risky because it expands processing beyond the immediate booking need, enables behavioral segmentation, and can be misused without the customer's awareness or consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal