ClawHub

travel planner

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a coherent travel-planning helper, but it asks agents to reuse logged-in travel/social sessions and shows persistent price monitoring without clear consent or stop controls.

Review before installing. Use it only if you are comfortable with browser automation against Xiaohongshu and Fliggy, possible reuse of logged-in sessions, and trip details being sent to travel, social, and weather services. Treat prices and itineraries as advisory unless the output shows live source data and timestamps, and do not enable any price monitoring unless there is an explicit stop condition and notification control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill documentation includes network access, browser automation, and shell execution patterns, but no explicit permission declaration or user-consent boundary is present. Undeclared capabilities are dangerous because they let a seemingly simple travel-planning skill reach external sites and run commands in ways users and hosts may not anticipate, increasing the risk of misuse or over-privileged execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The documented behavior does not align cleanly with the declared purpose and implied scope, especially around external weather services, browser-driven scraping, and missing implementation details for promised features. This mismatch is security-relevant because reviewers and users may approve or invoke the skill under false assumptions, while the actual runtime behavior reaches additional external services and operational paths.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The documented timeout fallback explicitly authorizes generating travel guides, flight prices, or partially fabricated data from model knowledge instead of real Xiaohongshu or Fliggy results. In a travel-planning and booking context, this can mislead users into acting on invented itineraries or prices, causing financial harm, bad bookings, or unsafe travel decisions because the output may appear authoritative despite not being verified.

Context-Inappropriate Capability

Low
Confidence
78% confidence
Finding
The inclusion of anti-scraping guidance indicates the automation is designed with awareness of platform defenses and suggests behavior intended to avoid detection while extracting content. Even though the tactic here is mild, it increases compliance and abuse risk by normalizing evasive scraping practices against third-party services unrelated to the core user benefit.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The examples introduce a recurring cron-based price-monitoring and notification workflow that materially expands the skill from one-shot trip planning into persistent background automation. This is dangerous because users and integrators may enable ongoing monitoring behavior, notifications, and repeated external queries without clear disclosure, consent boundaries, or lifecycle controls in the documented behavior.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README encourages automated use of Xiaohongshu content and Fliggy account-backed queries, but it does not clearly warn users what account/session data may be stored, reused, or exposed through browser profiles, login persistence, and generated reports. In a skill that automates browsing and booking-related workflows, this omission can lead users to unknowingly provide credentials, cookies, travel details, or personal itinerary data without understanding the privacy and account-handling risks.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill description does not clearly warn users that it will contact third-party services and access external travel content. Missing disclosure is risky because users may unknowingly send trip details, destinations, or dates to outside providers, creating consent and privacy concerns in addition to unexpected network activity.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document instructs extraction of note content, metadata, images, and booking URLs from third-party sites without any notice about privacy, copyright, terms-of-service, or downstream handling of scraped content. This creates legal, privacy, and trust risks because users or developers may collect, retain, or republish third-party data without understanding the constraints or obtaining proper consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The instructions tell the user to scan a QR code and reuse the authenticated session, but do not clearly warn that subsequent automation will act under the user's logged-in account and may access account-scoped data or perform actions attributable to that user. In a travel/booking context, operating inside an authenticated marketplace account raises the stakes because mistakes, unintended clicks, or future workflow expansion could affect bookings, personal data, or account integrity.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The markdown documents recurring background monitoring and user notifications without warning that the behavior persists beyond the current interaction. That omission can mislead users into authorizing long-lived tasks they do not expect, causing surprise notifications, repeated polling of third-party services, and possible privacy or resource-consumption issues.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal