ClawHub

全能订机票国内版-仅支持查询

Security checks across malware telemetry and agentic risk

Overview

This is a coherent flight-search skill, but it documents unverified latest-version installs and pipe-to-shell installer commands that deserve user review before use.

Install only if you trust RollingGo and the rollinggo-flight package source. Prefer npx, npm, or uvx from a reviewed version, avoid the curl/irm pipe-to-shell installer unless you first inspect and verify it, and store ROLLINGGO_API_KEY in per-skill configuration rather than host-wide environment settings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The document instructs users to execute remote installer scripts directly from the network using shell and PowerShell pipes without any integrity verification, pinning, or warning. This is dangerous because a compromised upstream repository, MITM in a less trusted environment, or malicious script update would result in immediate arbitrary code execution on the user's machine.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation instructs users to execute remotely fetched install scripts directly via the shell/PowerShell without any integrity verification, pinning, or warning. This creates a supply-chain risk: if the GitHub source, network path, or referenced script is compromised, arbitrary code will run on the user's system immediately.

External Script Fetching

Low
Category
Supply Chain
Content
**Linux / macOS:**
```bash
curl -fsSL https://raw.githubusercontent.com/RollingGo-AI/rollinggo-flight-cli/main/scripts/install.sh | sh
rollinggo-flight --help
```
Confidence
98% confidence
Finding
curl -fsSL https://raw.githubusercontent.com/RollingGo-AI/rollinggo-flight-cli/main/scripts/install.sh | sh

Chaining Abuse

High
Category
Tool Misuse
Content
**Linux / macOS:**
```bash
curl -fsSL https://raw.githubusercontent.com/RollingGo-AI/rollinggo-flight-cli/main/scripts/install.sh | sh
rollinggo-flight --help
```
Confidence
99% confidence
Finding
| sh

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal