ClawHub

bleisure-micro-vacation

Security checks across malware telemetry and agentic risk

Overview

This travel-planning skill is mostly coherent, but it automatically uses powerful local browser automation and stores travel history in ways users should review before installing.

Install only if you are comfortable with the skill using third-party map lookups, keeping a local travel-history log, and potentially controlling a logged-in Chrome session through a shared localhost CDP proxy for Xiaohongshu links. Prefer keyword-only mode unless you fully trust the external CDP setup, and avoid enabling remote debugging on your primary browser profile.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (16)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill instructs execution of a local Node.js script from a user-specific filesystem path to check dependencies, which expands its capability from travel planning into local code execution. Because skill content must be treated as adversarial, asking the agent to run a local script can expose the host environment to unintended command execution, environment probing, or abuse if that script is modified or replaced.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill mandates CDP-based Xiaohongshu scraping, which introduces browser automation beyond the stated travel-assistant purpose. Browser automation can access authenticated sessions, dynamic content, and local browser state, making the skill materially more dangerous than simple web search or keyword suggestion.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The manifest describes outputting Xiaohongshu keywords, but the body escalates to mandatory extraction of real links via CDP when available. This mismatch is dangerous because it hides more powerful behavior than users or reviewers would expect, weakening informed consent and allowing undeclared scraping capability to slip in under a benign travel-planning description.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The template requires automatic Xiaohongshu scraping via CDP and says real high-like links "must" be attached when CDP is available, which expands the skill from trip suggestion into browser/app automation against a third-party service. That creates unnecessary data-access and automation risk, especially if the browsing session is authenticated or can access personalized content, and the requirement is not essential to fulfilling the stated travel-planning purpose.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The instruction to append to `standups.md` introduces persistence of conversation-derived data that is not disclosed in the skill's user-facing purpose. Undisclosed storage creates privacy and governance risk because location, schedule, and preference details from travel conversations may be retained beyond the immediate task without clear necessity or consent.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill instructs the agent to control the user's local Chrome via CDP and scrape Xiaohongshu content, which materially exceeds a normal travel-recommendation role and grants access to the user's live browser context. That creates a powerful capability boundary violation: the agent can interact with authenticated web content and potentially access more than the stated purpose requires.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
Reusing a shared local CDP proxy on localhost:3456 and the user's existing browser session exposes authenticated browsing context to the skill and to any component able to reach that proxy. Shared browser-control infrastructure increases the chance of cross-skill access, session misuse, or unintended access to unrelated tabs and data.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The workflow explicitly depends on the user being logged into Xiaohongshu in Chrome, meaning the skill is designed to leverage an authenticated personal session to retrieve content. Using a user's logged-in state for automated extraction raises privacy, account, and session-abuse risks beyond what is necessary for itinerary suggestions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs sending user-provided place names, hotel names, neighborhoods, and inferred city context to the Amap API, but it does not require any explicit user notice or consent before sharing that location context with a third party. In a travel assistant, these details can reveal a user's current whereabouts, lodging, and movement patterns, creating a real privacy risk even if the feature is functionally legitimate.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This guidance explicitly encourages alcohol-focused and massage options as normal recommendation categories, but does not require any user-facing safety checks or cautions such as intoxication risk, solo-travel safety, consent/boundary-sensitive framing, or business legitimacy. In a travel skill used for late-night, in-between-trip situations, omission of these safeguards can steer tired or vulnerable users into higher-risk situations without adequate warnings.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The scenario examples normalize late-night bars, isolated walks, and massage recommendations while showing no visible safety disclosure, which makes the unsafe pattern operational and easy for the agent to imitate. Because examples strongly shape model behavior, this increases the chance the skill will recommend risky nightlife activities to solo travelers without caution about environment, transport, intoxication, or venue legitimacy.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The 00:00–06:00 guidance specifically includes massage/coffee/night-walk options for an 'insomnia' context without any warning or boundary note. At those hours, users are more likely to be alone, fatigued, disoriented, or in unfamiliar neighborhoods, so recommending such activities without guardrails raises personal safety and exploitation risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document says CDP capture should run automatically after selecting a place, but it does not clearly inform the user that their local logged-in Chrome will be controlled and read. Lack of transparent notice and consent for browser automation and data access is a meaningful privacy and trust violation.

Missing User Warnings

High
Confidence
98% confidence
Finding
The instructions tell the user to enable Chrome remote debugging but do not warn that this can expose powerful browser-control capabilities to local processes and potentially other tools. Encouraging users to weaken browser security settings without adequate warning materially increases attack surface.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill requires persistent logging of user travel history, preferences, and conversation-derived data into a shared memory file by default, including cross-session reuse. This creates privacy and cross-user data leakage risk, especially in a shared/team environment, because personal movement patterns and preferences may be retained without explicit opt-in and could be exposed to unrelated sessions or operators.

External Transmission

Medium
Category
Data Exfiltration
Content
1. 先用 `/eval` 查看实际 DOM 结构:
   ```bash
   curl -s -X POST "http://localhost:3456/eval?target=TARGET_ID" \
     -d 'document.querySelector(".feeds-container")?.innerHTML?.substring(0, 2000) || document.body.innerHTML.substring(0, 2000)'
   ```
2. 根据实际结构调整选择器,重新提取。
Confidence
84% confidence
Finding
curl -s -X POST "http://localhost:3456/eval?target=TARGET_ID" \ -d

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal