ClawHub

mt-travel-ai

Security checks across malware telemetry and agentic risk

Overview

This travel skill appears legitimate, but it asks users to paste a sensitive Meituan API token into chat and stores it locally in plaintext.

Install only if you trust the Meituan CLI and are comfortable with this skill handling a developer API token. Prefer configuring the token yourself outside the chat in a protected environment or credential store, avoid pasting secrets into conversation, and rotate the token if it has already been shared.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The skill instructs the agent to invoke a `message` tool specifically for WeChat delivery, but the declared scope is travel search/booking and does not establish that cross-channel messaging is authorized or available. This can cause unintended actions in another communication channel, expand the skill’s effective capabilities, and create a path for data exfiltration or unauthorized outbound messaging if the runtime exposes such a tool.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The document says tokens are highly sensitive and should not be printed in conversation, yet it explicitly instructs the user to send the token string in chat. That contradiction normalizes unsafe secret handling and increases the likelihood that credentials will be exposed in logs, transcripts, model context, or downstream integrations.

Missing User Warnings

High
Confidence
99% confidence
Finding
This line directly instructs the user to transmit a highly sensitive API token through the chat interface. Chat is typically not an appropriate secret-entry channel because messages may be retained, audited, visible to other tools, or leaked through prompt/context handling, making credential theft and account misuse more likely.

Ssd 3

High
Confidence
99% confidence
Finding
The skill instructs the agent to solicit an API token from the user in chat and persist it to a local config file for future use. This combines unsafe secret collection with long-term credential storage, increasing the blast radius if the conversation, filesystem, agent environment, or other tools are compromised.

Ssd 3

High
Confidence
99% confidence
Finding
The token refresh procedure repeats the same unsafe pattern by requesting a replacement credential via chat and overwriting the stored token. This creates recurring opportunities for credential exposure and encourages users to handle secrets in an insecure channel whenever authentication fails.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal