ClawHub

Aerobase Skill

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Aerobase flight and jetlag API client; it sends travel details to Aerobase as expected for its features.

Install only if you are comfortable sharing the travel details you ask the skill to analyze with Aerobase. Keep AEROBASE_API_KEY secret, rotate it if exposed, and avoid including confidential meeting names, health details, passport data, or sensitive business context unless you trust Aerobase to process it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The description minimizes the operational scope of the skill, which weakens informed consent and review accuracy. Because the extra features include itinerary analysis and recovery planning, users may expose more sensitive travel and scheduling data than they expected.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill sends detailed travel itineraries and even meeting/commitment times to an external API without any warning, privacy notice, or consent guidance. Travel plans and schedules are sensitive operational and personal data, and transmitting them to a third party can expose user location patterns, business travel details, and meeting timing.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The tool sends user-provided travel details to a third-party API but does not provide any explicit disclosure, consent prompt, or privacy notice in the CLI flow. This can expose sensitive itinerary and behavioral data to an external service without the user's informed awareness, which is especially relevant because travel plans can reveal location patterns and personal schedules.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal