ClawHub

Tour Compare

Security checks across malware telemetry and agentic risk

Overview

This is a coherent travel-comparison skill, but it needs Review because it can fetch user-supplied web pages and write local files with weak scoping and disclosure.

Install only if you are comfortable with live web fetching, OCR or parsing of submitted screenshots, dependency installation, and local report exports. Prefer JSON input or --no-fetch for sensitive comparisons, redact screenshots before use, and avoid export paths that could overwrite important files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

Intent-Code Divergence

Low
Confidence
93% confidence
Finding
The code hardcodes absolute local file:// paths pointing to a specific user's workspace directory. This can leak local environment details such as username and filesystem layout, and the generated links will be invalid or misleading on other systems. In this skill context, the issue is somewhat limited because it is a UI summary helper, but exposing host-specific paths is still an information disclosure and portability problem.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The changelog documents a feature that accepts arbitrary third-party travel URLs and fetches their contents, but it does not clearly warn users that using the feature triggers outbound network access to external sites. In an agent/skill context, undocumented network behavior can surprise users, create privacy/compliance issues, and increase SSRF-like risk if URL handling is too permissive beyond the intended domains.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document promotes URL crawling/scraping of third-party travel platforms and provides direct usage examples, but it does not clearly warn users that running these commands will trigger outbound network requests to external sites. In an agent skill context, missing disclosure around automatic network access can lead to unintended data transmission, policy violations, or interaction with third-party services without informed user consent.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger conditions are broad enough to match ordinary travel-planning conversation, which can cause the skill to activate when the user did not explicitly request link fetching, OCR, or comparison behavior. In this skill, unintended activation matters because downstream processing may include external URL retrieval, image analysis, and report generation, expanding the privacy and data-handling surface without clear consent.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The natural-language examples are ambiguous and encourage activation on common requests that may only warrant a clarifying question. Because this skill can process links, screenshots, and travel-product data, unclear activation boundaries increase the chance of over-collection or unexpected processing of user-supplied content.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The input section invites users to submit links, screenshots, and structured data but does not clearly warn that the system may fetch remote pages or process images/content externally. That omission creates a privacy and transparency problem: users may unknowingly expose itinerary details, account-linked URLs, or image contents to external tooling or network requests.

Missing User Warnings

Low
Confidence
93% confidence
Finding
The documented file:// report output implies local file creation and encourages opening it without warning the user about where the file is written or what opening it does. Even if intended for convenience, silent local artifact generation can surprise users and may expose data in shared environments or leave sensitive travel comparisons on disk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide recommends directly sending screenshots for automatic recognition and comparison, but it does not warn users that screenshots may contain sensitive personal data such as names, booking IDs, account details, or payment information. In a skill that processes user-supplied travel screenshots, this omission increases the risk of over-collection and unintended disclosure of personal data.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The documentation includes a hard-coded absolute file:// path pointing to a specific user's home directory on a local workstation. This leaks environment-specific information such as username and directory structure, which can aid fingerprinting, social engineering, or accidental disclosure when copied into generated output.

Missing User Warnings

Low
Confidence
90% confidence
Finding
This second example repeats exposure of an absolute local file:// path tied to a specific user environment. Repetition increases the chance the pattern is propagated into the skill's actual outputs, causing persistent leakage of workstation-specific details to end users or logs.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation explicitly instructs users to pass an API token on the command line, which can expose the credential through shell history, process listings, terminal logs, or CI job output. Although this is documentation rather than executable code, publishing guidance strongly influences user behavior, so it creates a real credential-handling risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The crawler makes outbound requests to user-supplied URLs via Puppeteer without an explicit allowlist, user confirmation, or safeguards against internal/private-network targets. This creates SSRF-like risk and unexpected data transmission from the host running the skill, especially because a full browser may fetch subresources and execute page logic during navigation.

Ssd 3

Medium
Confidence
98% confidence
Finding
The example exposes an internal absolute local filesystem path via file://, revealing the username and workspace layout. Such disclosure leaks environment details that can aid fingerprinting, social engineering, or targeted follow-on attacks, and it normalizes showing sensitive internal paths directly to end users.

Ssd 3

Medium
Confidence
98% confidence
Finding
This repeated example reinforces disclosure of local report paths, increasing the likelihood that the implementation routinely exposes internal filesystem details. Repetition in documentation makes the behavior appear intentional and acceptable, which increases the chance it persists into production use.

Ssd 3

Medium
Confidence
98% confidence
Finding
Another output sample leaks local environment information through a file:// path, confirming a pattern rather than an isolated documentation mistake. In aggregate, these disclosures reveal host-specific details and may expose where generated artifacts containing user travel data are stored.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal