Back to skill

Security audit

tc特价机票查询

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a coherent flight-price and alert tool, but it includes misleading alert behavior, automatic fake-flight fallbacks, broad local installation changes, and shipped API-probing test code that warrant user review.

Review carefully before installing. Use it only if you are comfortable with your route/date queries being sent to third-party travel sites and, if configured, to Feishu. Treat returned results cautiously because the code can generate mock flights on failures and may claim a monitor was created when it was not. Avoid running the API exploration script, and review the installer before allowing it to overwrite anything in ~/.easyclaw/skills.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documentation describes capabilities that include network access, local file reads/writes, and shell execution pathways, yet it does not declare permissions or present clear boundaries for those operations. This creates a transparency and consent problem: users and hosting platforms cannot accurately assess the operational risk before installation or execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior materially diverges from the stated purpose by including persistent local storage of user query data, installation/registration actions affecting the user's environment, exploratory scraping/test behavior, and incomplete notification wiring. Such mismatch is dangerous because it can conceal side effects, broaden attack surface, and cause users to authorize a seemingly simple flight-query skill that actually modifies the system and retains data.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file persists raw user queries and full query results to local log files under logs/, which can capture sensitive travel plans, dates, routes, and possibly personal identifiers embedded in free-text queries. Because this storage is optional via --save but undocumented at the function interface level for typical callers, it creates a privacy and data-handling risk if enabled in shared or poorly secured environments.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The code tells users that price monitoring has been created and that Feishu notifications will be sent, but in this file it only appends a success message and performs no actual subscription setup. This is a security-relevant integrity issue because users may rely on alerts that do not exist, potentially missing price changes or making decisions based on false assurances.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This script installs an arbitrary local folder into the user's EasyClaw skills directory after only checking for the presence of a SKILL.md file and extracting a name with weak regex parsing. That behavior is unrelated to the advertised flight-query functionality and creates a local persistence/side-loading path that could be used to plant or replace skills, including malicious ones, if a user runs the script on an untrusted folder.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The code can overwrite an existing installed skill by moving it to a backup and then copying new content into the live EasyClaw skills directory. This expands the package's behavior beyond flight-price querying into modifying the host agent's installed capabilities, which is a risky privilege boundary because a deceptive or trojanized skill package could replace trusted skills with attacker-controlled content.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
This code iterates through guessed third-party endpoints to discover undocumented APIs, which is reconnaissance behavior beyond the advertised flight-query and price-monitoring function. Even though it targets a travel site rather than the local host, such probing can violate service expectations, trigger abuse controls, and normalize unauthorized endpoint discovery inside an agent skill.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
Saving full page source and harvested response data for manual analysis expands collection beyond what is needed for normal ticket lookup. This can capture embedded tokens, user-specific metadata, or third-party content and leave it on disk in predictable locations where other local processes or users may access it.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
When upstream requests fail, the module silently returns fabricated "mock" flights while presenting them in the same shape as real results. In a flight-booking or price-monitoring skill, this can mislead users into making travel or purchase decisions based on false data, especially because the fallback is automatic and not clearly surfaced as an error condition.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The function advertises retrieval of real flight data, but the surrounding module can ultimately substitute generated flights on failure paths. That mismatch is dangerous because downstream components or users may trust the results as authoritative, causing false alerts, bad booking choices, or operational confusion.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README advertises continuous price monitoring and Feishu webhook notifications, but does not clearly warn users that the skill will perform periodic outbound requests and may transmit travel-related data to a third-party messaging endpoint. In a skill that stores config under the user's home directory and supports persistent subscriptions, this omission can lead to unintentional data disclosure, over-collection, or insecure handling of sensitive webhook URLs.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The release notes describe Feishu webhook notifications and subscription-based price monitoring, but they do not clearly warn that user query details, route preferences, and monitoring events may be transmitted to a third-party service. This creates a real privacy and informed-consent issue because users or administrators may enable the feature without understanding what travel-related data leaves the local system.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The subscription feature stores user travel-query details and may forward price-drop data to a configured Feishu webhook, but the skill text does not clearly warn users about that retention and outbound sharing. Even if the data is not highly sensitive by itself, travel plans can reveal personal patterns, and webhook delivery can expose information to unintended recipients if misconfigured.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The save_query_result function writes the user's raw query and generated result to disk without any built-in warning, consent flow, or data minimization. Travel-related queries can contain sensitive itinerary, timing, or personal context, so silent persistence increases privacy exposure and leakage risk on multi-user systems or environments with weak file protections.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The action keywords are broad enough that ordinary language such as '看', '关注', or '设置' may unintentionally trigger query or subscription flows. In a skill that can create price-monitoring subscriptions and push notifications, weak intent boundaries can cause unauthorized or surprising actions, especially if downstream confirmation is absent.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The script sends network requests to external third-party endpoints without any user disclosure or consent flow, including travel query parameters. In a skill context, silent outbound transmission is risky because users may not expect their request details to be sent to probed or undocumented services, especially when the code is explicitly exploring API behavior.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
Writing response payloads to local files without notice creates an unnecessary data-retention channel. Third-party responses may contain identifiers, pricing data, session-related content, or other metadata that persist beyond the user interaction and could be exposed to other users or processes on the host.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
This code stores additional endpoint response payloads locally for later inspection, again without disclosure or data minimization. Repeated collection of raw API responses increases the chance of retaining sensitive or proprietary information unrelated to the user-facing function of the skill.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
Saving the entire fetched page source to disk can capture far more data than necessary, including embedded state objects, tokens, tracking identifiers, and script URLs. In this skill, that behavior is more suspicious because it is tied to reverse-engineering and analysis of a third-party service rather than normal flight search execution.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.