ClawHub

lann-booking

Security checks across malware telemetry and agentic risk

Overview

The skill’s main booking purpose is coherent, but its bundled test scripts can send live booking requests and personal phone data to a real external service with limited safeguards.

Review before installing. The core skill is for Lann massage lookups and bookings, but do not run the bundled test scripts unless you intend to contact the live booking service. Avoid using real customer phone numbers in tests, confirm all booking details before submission, and treat full request/response logging as unsafe unless phone numbers and other personal data are redacted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares no permissions, yet its documented behavior includes network access to remote MCP endpoints and references to test scripts that likely invoke shell/network capabilities. This creates a transparency and control gap: a host may treat the skill as low-privilege while it actually depends on external connectivity and executable tooling, increasing the chance of unintended outbound requests or unsafe execution paths.

Tp4

High
Category
MCP Tool Poisoning
Confidence
86% confidence
Finding
The skill description presents a simple store/service lookup and booking workflow, but the referenced resources and integration modes imply additional behavior such as connecting to external MCP infrastructure, fallback direct API calls, and test automation. This mismatch undermines user and platform trust because operators may approve the skill for a narrow purpose while it can initiate broader external interactions than expected.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The document states that phone numbers should be masked in logs, but later advises operators to record complete request and response contents for debugging. Since booking requests include a user's mobile number and responses may contain other identifying details, this creates a clear risk of exposing sensitive personal data in logs, screenshots, or support artifacts. In this booking context, the issue is more dangerous because mobile numbers are required for service fulfillment and are likely to be routinely handled.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script is labeled as a test utility, but it sends real POST requests to a live booking creation endpoint and can create actual reservations using hardcoded customer and service data. In an agent-skill context, this is dangerous because running 'tests' can trigger unintended real-world side effects, consume business resources, and create bookings without explicit user confirmation.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The documentation frames the file as an API test script, but the implementation performs state-changing operations against a production-like booking endpoint rather than simulation or read-only validation. This mismatch increases the chance that users, reviewers, or automated systems execute it assuming low risk, leading to unintended bookings and operational abuse.

External Transmission

Medium
Category
Data Exfiltration
Content
print(json.dumps(payload, indent=2, ensure_ascii=False))

    try:
        response = requests.post(
            API_ENDPOINT,
            headers=HEADERS,
            json=payload,
Confidence
90% confidence
Finding
requests.post( API_ENDPOINT, headers=HEADERS, json=

External Transmission

Medium
Category
Data Exfiltration
Content
print(json.dumps(payload, indent=2, ensure_ascii=False))

    try:
        response = requests.post(
            API_ENDPOINT,
            headers=HEADERS,
            json=payload,
Confidence
89% confidence
Finding
requests.post( API_ENDPOINT, headers=HEADERS, json=

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal