ClawHub

Aerobase Travel Hotels

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Aerobase hotel API skill with account-affecting booking features and a documentation inconsistency, but no hidden code, persistence, or automatic third-party browsing was found.

Install only if you are comfortable giving the agent an Aerobase API key for hotel search and account-affecting travel actions. Require explicit user confirmation before booking, canceling, amending, rebooking, or redeeming loyalty points, and treat the browser-powered Pro comparison claim as unclear unless Aerobase documents exactly what sites are accessed and what data is shared.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The skill claims it is 'API-only' with 'no browser automation,' but later advertises browser-powered comparison on Booking.com and Google Hotels. This inconsistency can mislead operators and users about the actual trust boundary, data flows, and permissions required, which is a real security concern because hidden browser automation expands attack surface and may enable unreviewed third-party interaction.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Advertising browser-powered live price comparison on third-party hotel sites is not justified by the documented Aerobase API workflow and introduces undeclared external interactions. In a booking skill, that matters because browser automation against third-party travel sites can expose itinerary data, increase prompt/tool injection risk from scraped content, and bypass the principle of least privilege expected from an API-only integration.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal