ClawHub
Back to skill
v1.0.4

Airport Pickups London

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:46 AM.

Analysis

This is a coherent airport-transfer booking skill, but users should notice that it can book, amend, cancel, and track transfers through a remote API using an API key.

GuidanceThis skill appears purpose-aligned for booking Airport Pickups London transfers. Before installing, understand that it requires configuring a remote MCP server with an API key and that approved actions may create, amend, cancel, or track real bookings while sending passenger and trip details to the provider.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusNote
SKILL.md
`book_transfer` — Create Booking ... `amend_booking` — Modify Booking ... `cancel_booking` — Cancel Booking

The skill exposes tools that can create, change, or cancel real travel bookings. This is expected for the stated purpose, and the artifact also instructs the agent not to book without user confirmation.

User impactThe agent could affect real-world travel arrangements if the user approves or requests those actions.
RecommendationConfirm the route, time, passenger details, price, and cancellation/amendment intent before allowing the agent to submit booking changes.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
**This skill requires an API key** via the `x-api-key` header. ... The API key authenticates the agent, not the end user.

The skill requires a service API key that authorizes the agent to use the booking API. This is disclosed and purpose-aligned, but users should treat the key as sensitive.

User impactAnyone or any agent with the API key may be able to use the associated booking API access.
RecommendationUse a dedicated API key for this integration, avoid sharing it, and revoke or rotate it if the skill is no longer needed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityMediumConfidenceHighStatusNote
SKILL.md
This skill sends the following data to the APL booking API: - Pickup and dropoff locations - Passenger name, phone, email - Flight numbers

The remote MCP/API flow sends personal and trip details to the provider. The data transfer is disclosed and necessary for booking, but it is sensitive information.

User impactPassenger contact details, itinerary locations, and flight information will be shared with the service provider.
RecommendationOnly provide passenger and trip details you are comfortable sending to Airport Pickups London, and review the provider's privacy practices if needed.