Travel Planner Pro
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: normieclaw-travel-planner-pro Version: 1.0.3 Travel Planner Pro is a well-structured and security-conscious skill bundle for itinerary management. It includes explicit prompt-injection defenses in SKILL.md and follows privacy-first data handling practices, such as masking sensitive passport information and using local storage with strict file permissions (chmod 600/700). The bash script scripts/trip-reminder.sh and the setup instructions in SETUP-PROMPT.md use safe coding practices, including path validation, symlink checks, and input sanitization to prevent common vulnerabilities like path traversal or shell injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running setup will create and modify local files and permissions in the workspace.
The setup guide asks the agent/user to run local shell commands and later copy a helper script into the workspace. This is expected setup behavior, not hidden execution, but it is still code execution in the user's environment.
Run these commands to create all necessary directories and set permissions: `mkdir -p travel/trips` ... `chmod 700 travel travel/trips`
Review the setup commands and helper script before running them, especially because this package is listed with an unknown source and no homepage.
Anyone with access to the workspace may learn sensitive travel habits, dates, companions, and document-related details.
The skill intentionally stores a persistent travel profile containing personal preferences, companions, loyalty details, and passport expiry information, then reuses it for future planning.
Profiles live in `travel/travel-profile.json`... `passport_valid_through`, `companions`, `loyalty_programs`, `learned_preferences`
Do not store raw passport numbers, payment card numbers, or booking credentials; periodically review or delete the travel profile if it is no longer needed.
Search and weather providers may receive parts of the trip context needed for research.
The skill sends destination research and weather queries to external tools/providers. This is expected for travel planning, but travel dates, destinations, coordinates, and related query terms may leave the local workspace.
Use `web_search` to gather... Typical daily costs... Current visa requirements... Use `web_search` or `web_fetch` to query Open-Meteo
Avoid including passport numbers, booking confirmation numbers, or other unnecessary sensitive details in search requests.
A user might share more sensitive travel information than necessary if they rely solely on the marketing language.
These are strong privacy and audit claims. Other artifacts do disclose web search, Open-Meteo calls, and optional dashboard/database concepts, so the claims should be treated as assurances to verify rather than guarantees.
100% private... Codex Security Verified... Zero data exfiltration. Your travel plans, passport info, and budget stay on YOUR device.
Treat the privacy claims cautiously; only provide the data required for the task and review any optional dashboard/cloud setup separately.