ClawHub

LovTrip AI Travel Planner

Security checks across malware telemetry and agentic risk

Overview

This is a coherent travel-planning skill, but it relies on an external MCP package and travel details may be sent to mapping, AI, hotel, or flight services.

Install only if you trust the LovTrip MCP package. Prefer pinning a specific version instead of `@latest`, use restricted and revocable AMAP/OpenRouter keys, avoid committing keys, and share only the travel details needed for the requested itinerary, hotel, or flight search.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill description says it should be used whenever a user needs travel planning, itinerary generation, or searching attractions/hotels/flights, which is broad enough to activate on many ordinary travel conversations. Overly broad activation can cause unnecessary tool use and unintended disclosure of travel details to the external LovTrip service before the user clearly requests that handoff.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The instruction to begin checking required fields whenever the user mentions travel/trips/itineraries creates an ambiguous activation condition that can capture incidental mentions rather than explicit requests. In practice this can steer the agent into collecting detailed trip information and preparing external tool calls even when the user did not intend to engage the skill.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The hotel and flight search capabilities process sensitive travel metadata such as destination, dates, passenger count, and price preferences, yet the skill does not warn users that these details may be sent to external services. This creates a transparency and privacy issue because users may disclose personal itinerary information without informed consent to third-party systems.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal