ClawHub

flightroutes24 ai

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This flight-booking skill is mostly purpose-aligned, but it needs review because it can place real orders and stores or displays sensitive traveler data while declaring no permissions.

Install only if you trust the publisher and intend to use Flightroutes24 booking. Do not paste API secrets into chat, clear the skill’s .cache after searches or bookings, verify every order confirmation carefully, and prefer a version that declares permissions, masks traveler PII, adds retention controls, and pins dependencies.

SkillSpector (8)

By NVIDIA

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares no permissions in metadata, yet its documented behavior clearly requires environment-variable access, local file read/write to .cache, shell/script execution, and outbound network calls. This mismatch weakens platform trust boundaries and can cause the agent or reviewer to underestimate what the skill can do, increasing the risk of secret exposure, unintended file access, or unreviewed network activity.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Using the single-character trigger word “飞” is overly broad and likely to collide with normal conversation, causing accidental invocation of a skill that can search flights, access configured secrets indirectly, write cache files, and potentially place real bookings. In this context, false activations are more dangerous than in a read-only informational skill because the skill supports networked transactional actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The display functions assemble and return highly sensitive personally identifiable information, including full passenger names, birth dates, passport numbers, passport expiry dates, phone numbers, and email addresses, in a plaintext confirmation message. In a flight-booking context this data is operationally necessary, but exposing full values without masking or minimization increases the risk of accidental disclosure through logs, chat history, screenshots, analytics, or downstream integrations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code persists booking/search context, including the original search payload, selected offer, trace identifiers, and processing metadata, to local files on disk without any visible consent flow, retention limit, or access control in this file. In a flight-booking skill, those records can contain itinerary and potentially traveler-related data, so local compromise, shared-user environments, or accidental log/cache disclosure could expose sensitive travel information.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script writes the full input search payload to a pending payload file before executing the search, again without any user-facing notice or safeguards shown here. Search payloads for airline booking commonly include travel dates, routes, passenger details, and preferences, making silent persistence an avoidable confidentiality risk if the host is multi-user or the cache directory is exposed.

Unpinned Dependencies

Low
Category
Supply Chain
Content
pycryptodome>=3.20.0
pypinyin>=0.51.0
Confidence
97% confidence
Finding
pycryptodome>=3.20.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pycryptodome>=3.20.0
pypinyin>=0.51.0
Confidence
95% confidence
Finding
pypinyin>=0.51.0

Known Vulnerable Dependency: pycryptodome — 3 advisory(ies): CVE-2018-15560 (PyCryptodome integer overflow vulnerability); CVE-2023-52323 (PyCryptodome and pycryptodomex side-channel leakage for OAEP decryption); CVE-2018-15560 (PyCryptodome before 3.6.6 has an integer overflow in the data_len variable in AE)

High
Category
Supply Chain
Confidence
92% confidence
Finding
pycryptodome

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal