ClawHub
Back to skill

Security audit

Zim

Security checks across malware telemetry and agentic risk

Overview

Zim appears to be a real travel-booking middleware skill, but it needs Review because it combines payments, traveler PII, public webhooks, admin APIs, persistent logs, and multiple third-party data flows with weak default scoping and disclosure.

Install only after reviewing it as a high-impact travel and payment integration. Use test Stripe keys first, set ZIM_API_KEY and a separate ZIM_ADMIN_KEY, require Stripe and Twilio webhook secrets, restrict database file permissions, avoid storing real passport data unless necessary, disclose affiliate links and third-party AI/provider processing to users, and define retention/deletion rules for conversations, approvals, travelers, and booking records.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (31)

Context-Inappropriate Capability

Medium
Confidence
75% confidence
Finding
This API combines core travel-booking functions with broad administrative capabilities for tenants, policies, traveler records, and fee reporting in the same service boundary. In a compromise or auth-misconfiguration scenario, the blast radius is much larger because sensitive business administration and traveler PII management are exposed alongside operational endpoints.

Context-Inappropriate Capability

Medium
Confidence
77% confidence
Finding
A public webhook endpoint is not only ingesting inbound messages but also invoking a conversational agent and triggering outbound Twilio messages. That broadens the service from middleware into externally reachable message-processing automation, increasing abuse potential, prompt-injection exposure, and the consequences of webhook validation failures or misconfiguration.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The module persists the full itinerary and approval metadata to a predictable local path under the user's home directory, including destination, dates, notes, status, and a full serialized itinerary. In a travel-booking context this can expose sensitive travel patterns and potentially personal or corporate trip details to other local users, backups, malware, or later unintended processing, especially because data minimization and retention controls are absent.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The code contradicts its own safety comment: when provider integration is still pending, it transitions the booking to BOOKED instead of leaving it in BOOKING_IN_PROGRESS or a distinct pending state. In a travel-booking workflow, this can cause the system or downstream agents to treat an unconfirmed reservation as finalized, creating fulfillment, customer-notification, and financial errors.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The module advertises car rental search but does not query any provider or aggregator; it fabricates fixed provider options and estimated prices. In a travel-booking skill, this can mislead users or downstream agents into believing the returned options reflect real availability and pricing, causing poor decisions, policy bypasses, or deceptive affiliate redirection.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The public search() docstring claims to return searched results, but the implementation always returns a hard-coded set of providers with synthetic prices derived from a class-rate table. This is dangerous because consumers of the function may trust the output as factual market data and automate recommendations, approvals, or payment preparation based on fabricated information.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The conversation logger is designed to persist full WhatsApp message content, tool-call metadata, errors, and review flags for analytics. In a travel-booking assistant, messages may contain sensitive personal and financial context such as names, itineraries, contact details, and booking intent, so storing raw transcripts without minimization materially increases privacy and breach exposure.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The orchestrator sends the user's raw message plus detailed travel state to OpenRouter for intent parsing, which is a third-party external service. This creates a real data-exposure risk because itinerary details, travel dates, and preferences may be sensitive personal data, and the code does not appear to minimize, redact, or constrain what is shared beyond what is needed for NLU.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The implementation of health_check always returns True after calling search_flights, even though search_flights intentionally swallows API/auth/network failures and returns an empty list. This creates a false-success health signal that can cause monitoring, deployment checks, or booking workflows to assume Kiwi connectivity and credentials are valid when they are not.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The method is documented as performing an atomic transition, but it performs a read (`get`) and a write (`update`) as separate operations with separate database connections and no transaction spanning both. In concurrent use, two callers can read the same prior state, both pass transition validation, and then overwrite each other, causing lost updates or invalid workflow progression; in a travel booking workflow this can lead to inconsistent approval/payment state and policy bypasses.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The setup documentation explicitly describes persistent storage of WhatsApp conversation state in SQLite, but provides no guidance on data minimization, retention notice, access controls, encryption, or user consent. In a travel-booking context, conversations can contain names, phone numbers, locations, dates, and potentially booking-related details, so undocumented retention meaningfully increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The file documents required environment tokens for external travel services and describes routing user requests through affiliate/search APIs, but omits security guidance for handling credentials and outbound transmission of user-provided travel data. In this skill, messages may contain itinerary details and personal contact context, so lack of warning or controls around secrets and third-party sharing creates avoidable exposure risk.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The invocation scope is broad enough to match many ordinary travel-related requests, which can cause this skill to activate in situations where users only wanted general advice rather than tool-driven search, persistence, or payment preparation. In this context, over-broad routing is more dangerous because the skill can use external APIs, handle sensitive preferences, create payment workflows, and generate outbound booking links.

Natural-Language Policy Violations

Low
Confidence
80% confidence
Finding
The skill directs automatic use of a WhatsApp conversational agent for WhatsApp-channel messages without describing user opt-in, consent to stateful storage, or locale/language handling. Because the flow persists conversation state via SQLite and handles travel and potentially payment-adjacent data, implicit activation can create privacy, policy, and user-expectation problems.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide mandates adding affiliate `marker` parameters to all deeplinks for commission tracking, but it does not require any user-facing disclosure or consent. In a travel-booking agent context, this creates a transparency and trust risk because users may be steered through monetized links without being informed that the agent/operator benefits financially from their clicks or bookings.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
One QA scenario includes personal-style data such as a frequent flyer number in a message that is then sent through the live orchestrator to external LLM/search providers. In the context of a travel skill that uses third-party APIs, this creates unnecessary disclosure of sensitive test data and normalizes sending quasi-PII to external services without minimization or explicit safeguards.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script embeds TRAVELPAYOUTS_TOKEN directly into query-string URLs for both API and booking links. Query parameters are commonly exposed via process listings, shell history, logs, proxies, and browser/referrer leakage, so this unnecessarily broadens credential exposure beyond the intended API call.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script persists WhatsApp conversation state in a local SQLite database, but the operational flow shown here provides no user-facing notice, consent, or retention disclosure. Because the stored data can include travel plans, identifiers, and potentially sensitive preference information, silent persistence increases privacy and compliance risk if users are unaware their messages are retained.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Approval records with full itinerary data are written to disk without any indication in this file of notice, consent, or transparent handling of stored travel data. In this skill's context, the records may contain sensitive itinerary details, approval notes, and business-travel metadata, making undisclosed persistence a privacy and compliance risk even if no remote exfiltration occurs.

Missing User Warnings

High
Confidence
89% confidence
Finding
The booking executor is given extensive traveler PII and itinerary data, including passport number, with only a caller-supplied executor name selecting the implementation. In this skill context, that is more dangerous because travel booking inherently handles high-value personal data and external providers/scripts may be affiliate or placeholder integrations, so weak executor trust boundaries can lead to unauthorized disclosure or misuse of sensitive traveler information.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The executor includes traveler PII (first name, last name, email) inside provider_raw_response, a field described as raw API/debug data and therefore likely to be logged, persisted, or exposed to internal tooling without strict need. In a travel-booking context, this is more dangerous because the system processes real identities and booking/payment workflows, increasing the chance of privacy violations, data leakage, and noncompliance if debug artifacts are surfaced or retained improperly.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The deeplink builders encode user itinerary details such as pickup location and dates directly into third-party affiliate URLs without any consent or notice mechanism. In this skill context, travel search data may reveal sensitive behavioral or location information, and silently transmitting it to multiple providers increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The search function sends origin, destination, travel dates, cabin preferences, and related itinerary constraints to multiple third-party providers (Travelpayouts, Kiwi, and SerpApi) without any indication in this module that user consent, notice, or privacy gating is enforced before disclosure. In a travel-booking context, this is sensitive behavioral and travel-planning data, and sharing it broadly with several external services increases privacy and compliance risk, especially if the caller assumes searches are handled internally.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The search flow sends user-supplied travel details such as destination, travel dates, and occupancy to third-party providers and also embeds that data into affiliate deeplinks. In a travel-booking skill this is expected functionality, but without explicit consent, disclosure, or data-minimization controls, it creates a real privacy risk because itinerary data can reveal sensitive personal or business travel patterns to external services.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code logs all user messages for analytics and feedback review, but there is no user-facing disclosure in this file that conversations are being retained for non-essential analytics purposes. For a travel assistant handling potentially sensitive trip and booking details, undisclosed transcript collection increases privacy, compliance, and insider-access risk.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.