ClawHub

Travel Frog 旅行青蛙

Security checks across malware telemetry and agentic risk

Overview

This is a coherent virtual travel pet skill that stores local game progress and memories, with no evidence of hidden exfiltration or behavior outside that purpose.

Install this if you want an autonomous, persistent travel-frog companion that can write local game state, memories, diary entries, and media files, and can send scheduled updates. Avoid sharing sensitive personal information with it, keep the default or a dedicated state directory, review any separate image-generation skills it uses, and run reset only when you are comfortable losing stored game progress and collections.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (9)

Tainted flow: 'STATE_FILE' from os.environ.get (line 94, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
def save_state(state):
    ensure_dirs()
    with open(STATE_FILE, "w", encoding="utf-8") as f:
        json.dump(state, f, ensure_ascii=False, indent=2)

def load_collections():
Confidence
88% confidence
Finding
with open(STATE_FILE, "w", encoding="utf-8") as f:

Tainted flow: 'COLLECTIONS_FILE' from os.environ.get (line 95, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
def save_collections(collections):
    """保存归档数据"""
    with open(COLLECTIONS_FILE, "w", encoding="utf-8") as f:
        json.dump(collections, f, ensure_ascii=False, indent=2)

def _migrate_v1_to_v2(state):
Confidence
88% confidence
Finding
with open(COLLECTIONS_FILE, "w", encoding="utf-8") as f:

Tainted flow: 'STATE_FILE' from os.environ.get (line 94, credential/environment) → shutil.copy2 (file write)

Medium
Category
Data Flow
Content
bak_path = STATE_FILE + ".v1.bak"
    if not os.path.exists(bak_path):
        import shutil
        shutil.copy2(STATE_FILE, bak_path)
        log.info(f"[migrate] backup → {bak_path}")

    # 提取归档数据
Confidence
82% confidence
Finding
shutil.copy2(STATE_FILE, bak_path)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill advertises executable commands that read and write state, collections, and media files, but the metadata declares no permissions. This creates a trust and policy gap: a host may present the skill as minimally privileged while it can still manipulate persistent local data, making review and sandboxing harder.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documented reset command wipes all data, yet the skill provides no warning, confirmation flow, or recovery guidance. An agent or user invoking it casually could irreversibly delete travel state and collections, causing integrity and availability loss for persisted data.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The reset command irreversibly deletes persisted state and collections with no confirmation, authentication, or safety interlock. In an autonomous agent skill, accidental invocation or misuse can cause denial of service and permanent loss of user data/history.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to append diary entries to local files via shell commands (`exec` with `echo >> file`) and to do so throughout normal operation. This creates an integrity and privacy risk because user interactions and agent activity are persisted to disk without any explicit consent, guardrails on content, or safer file-write abstraction; if any logged content is influenced by user input, shell-based appending also raises command-construction risk.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The file content is entirely written in Chinese and instructs the agent how to structure and update memory in Chinese without any indication of user consent, locale detection, or documented justification. This can override or constrain user-preferred language behavior, causing confusing outputs, inaccessible memory artifacts, and reduced transparency for users or operators who do not read Chinese.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill mandates broad, ongoing retention of travel events, conversations, recommendations, and learned information into multiple memory files, effectively building a persistent natural-language log of interactions. In this context, that is dangerous because it normalizes storing user-provided content and behavioral history indefinitely, increasing the chance of privacy leakage, unintended reuse, and exposure of sensitive details through later prompts or file access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal