ClawHub

Tennis Grand Slam Trip Planner For Slam Chasers

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent tennis travel planner that uses a disclosed third-party travel CLI, with privacy and visa-advice cautions but no evidence of malicious behavior.

Install only if you are comfortable using the flyai CLI and sharing travel search details with that service. Verify visa requirements with official government or consular sources for your own passport, and delete /tmp/slam-trip-results after running the helper script on shared machines.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to send user travel details such as departure city, dates, destination, and ticket-related queries to external flyai services, but it provides no user-facing notice or consent step before those network calls. This creates a real privacy and data-handling risk because sensitive itinerary information is shared with third parties without transparency, and the travel-planning context makes those details especially personal.

Natural-Language Policy Violations

Medium
Confidence
86% confidence
Finding
The file hard-codes visa guidance for Chinese passport holders without clearly labeling it as country-specific or prompting for the traveler’s nationality. In a travel-planning skill, this can mislead non-Chinese users into following incorrect entry requirements, causing booking errors, denied boarding, or failed visa preparation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script transmits user-supplied travel details such as origin city and travel dates to external flyai services without any explicit notice, consent checkpoint, or data-minimization control. In a travel-planning skill this sharing is functional, but undisclosed transmission of itinerary data to third-party APIs creates a real privacy and compliance risk, especially if users do not expect their inputs to leave the local agent context.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal