ClawHub

marriott

Security checks across malware telemetry and agentic risk

Overview

This Marriott booking skill needs review because it reuses and stores browser login state, bypasses bot protections, and can submit real hotel reservations.

Install only if you are comfortable giving this skill control of a logged-in Marriott session and letting it create real reservations. Use a dedicated disposable Chrome profile logged into Marriott only, do not copy your normal browser cookies, verify the exact hotel, dates, cancellation terms, price, and payment before final submission, and delete cookies.json plus generated booking artifacts afterward.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (18)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script explicitly starts Chrome with a remote debugging port exposed on 9222, which enables external control over the browser session via the DevTools protocol. In the context of a hotel-booking skill that asks the user to manually log in first, this can grant access to authenticated cookies, page contents, and in-browser actions far beyond the stated booking intent, making account takeover or broader browser abuse possible if the port is reachable.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script does not stop at preparing a booking flow; it programmatically selects a payment option when needed and then clicks the final reservation button. In an agent skill context, this crosses from informational assistance into completing a financially binding transaction, creating a material risk of unauthorized purchases or bookings if prior state, selection files, or invocation are manipulated.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code launches Chromium with automation-evasion flags, hides navigator.webdriver, and injects a fake window.chrome object to avoid detection. Those behaviors are not necessary for a normal booking assistant and increase risk by deliberately bypassing site anti-automation controls, which can violate platform protections and make unauthorized automated transactions harder to detect.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script attaches to an already-running local Chrome instance over the remote debugging protocol and reuses its contexts/pages. That grants the skill access to the user's live browser session, cookies, authenticated tabs, and potentially unrelated browsing state, which exceeds what is necessary for a hotel-room lookup and creates a strong boundary-crossing risk.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script extracts cookies from an authenticated Chrome context and writes them to cookies.json on disk without any access controls or user disclosure. Session cookies can enable account takeover or replay of authenticated state if another local process, user, or follow-on tool reads the file.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The code and comments explicitly describe avoiding Akamai bot detection and then implement browser automation, direct URL construction, overlay removal, and recovery from blocking states. Evasion-oriented automation increases the likelihood of unauthorized access patterns, policy violations, and downstream misuse of a logged-in user's session.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The guide explicitly instructs copying the user's Chrome Cookies and Local State into a separate profile so the skill can reuse an authenticated session. That enables session hijacking and access to a broader authenticated browser context than is necessary for hotel search, making it equivalent to credential/session theft rather than ordinary automation.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Requiring a Chrome instance with remote debugging on port 9222 gives any process able to reach that interface the ability to inspect and control the live browser session. In this skill, that control is not narrowly limited to hotel booking and can expose unrelated tabs, cookies, and authenticated state.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The documentation openly states that the technique is intended to bypass Marriott/Akamai bot protections by using copied real cookies and a real-user browser profile. Deliberately evading anti-bot defenses is a strong indicator of unsafe behavior and increases the risk of account misuse, stealth automation, and policy circumvention.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger description is broad enough that normal conversation about hotels or check-in could invoke a skill that performs authenticated browsing and booking actions. Because this skill can act on a logged-in Marriott account and eventually submit reservations, accidental invocation materially increases the risk of unintended data access or transactions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script unconditionally kills existing Chrome processes before launching a new instance, which can terminate unrelated browsing sessions and destroy active user state without warning. In this skill context, that behavior is risky because users may have other authenticated tabs or unsaved work open, and abrupt termination can cause denial of service or accidental logout/data loss.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
After performing a live booking, the script writes confirmation details including hotel, room, dates, confirmation number, page URL, and text snippets to confirmation.json on disk. Persisting reservation artifacts locally without clear disclosure, minimization, or retention controls creates privacy and account-security exposure, especially on shared hosts or multi-tenant agent environments.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Persisting browser cookies to disk without warning is a privacy and security issue because users are not informed that authenticated session material is being retained locally. Those cookies may contain account/session identifiers that can be reused by other tools or attackers with filesystem access.

Natural-Language Policy Violations

High
Confidence
95% confidence
Finding
Documentation that the skill is intended to '规避 Akamai 检测' is a strong indicator of deliberate bypass of anti-automation controls rather than ordinary hotel search functionality. In the context of a script that attaches to an already logged-in browser session, this materially raises the abuse potential and trust risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The instructions tell the user to copy sensitive Chrome browser state into a temporary directory without clearly warning that this may expose authenticated sessions and other secrets to local processes. Even if intended for convenience, omitting that warning materially increases the likelihood of unsafe handling of sensitive data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide instructs enabling Chrome remote debugging but does not explain that the debugging endpoint can allow local browser control and data extraction. Users are therefore encouraged to expose a powerful control interface without understanding the security implications.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The workflow culminates in a real booking and returns a confirmation number, but the guide does not prominently warn that this may create charges, reservations, cancellation obligations, or other irreversible consequences. That makes accidental or unauthorized transactions more likely.

Ssd 2

Medium
Confidence
88% confidence
Finding
Paraphrased language about avoiding detection is still evidence of intent to circumvent security controls, even if it avoids overt exploit terminology. That matters because the surrounding code uses browser automation against a protected consumer site while leveraging an authenticated local session.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal