ClawHub

AI机票预订助手

Security checks across malware telemetry and agentic risk

Overview

This flight-booking skill fits its stated purpose, but it handles identity data, login tokens, and refunds with unsafe transport, storage, and transaction-scoping practices.

Review carefully before installing. Only use it if you trust the flight service and are comfortable entering passenger identity data; avoid booking, changing, or refunding tickets until TLS verification is enabled, credentials are stored in a protected location, PII output is masked, and refunds clearly confirm the exact tickets affected.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Intent-Code Divergence

Medium
Confidence
80% confidence
Finding
The workflow examples require passing a phone number to several commands even though the formal command definitions do not include that parameter. In security-sensitive flows such as order lookup, cancellation, change, and refund, contradictory interface documentation can cause implementers or agents to collect and transmit extra personal data unnecessarily or to call the wrong operation with unintended arguments.

Intent-Code Divergence

High
Confidence
94% confidence
Finding
The privacy section states that personal information is sent externally only for booking, but later workflow instructions direct the agent to collect and transmit phone numbers for order queries, cancellation, rescheduling, and refund actions as well. This is a material privacy disclosure inconsistency that can mislead users about when their PII is shared and expands exposure across multiple account-affecting operations.

Context-Inappropriate Capability

Medium
Confidence
77% confidence
Finding
The module persists an API key and associated phone number in a predictable temp-directory JSON file without any file-permission hardening, encryption, or OS-backed secret storage. In a multi-user system or hostile local environment, another process or user could read or replace that file, leading to credential theft, account misuse, or session hijacking for flight-booking operations.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The code explicitly disables TLS certificate validation by creating an unverified SSL context before calling the remote API. This enables man-in-the-middle interception or modification of authentication and booking traffic, including API methods and business parameters, which is especially dangerous because this skill handles travel booking and authentication data.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The authenticated API path also disables TLS certificate verification, exposing the apiKey and all authenticated requests to interception or tampering. Because this path performs authenticated flight operations, exploitation could allow credential capture, fraudulent booking changes, or manipulation of order data in transit.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The function sends highly sensitive personal data including passenger name, phone number, and ID card number to an API, but the script provides no consent notice, data-handling warning, minimization, or visible assurance about transport/security controls. In a flight-booking context this data transfer may be operationally necessary, but failing to disclose or protect PII increases privacy and compliance risk and can expose users if logs, intermediaries, or downstream systems are compromised.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The script prints the full passenger phone number and full ID number directly to the console, which can expose sensitive PII through terminal history, screenshots, shared sessions, logs, or monitoring systems. Because government ID numbers are highly sensitive and often used for identity verification, this creates a concrete confidentiality risk beyond normal booking functionality.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script prints highly sensitive passenger PII, including full phone numbers and identity document numbers, directly to stdout without masking or minimization. In agent or shared-console environments, stdout may be logged, surfaced to other components, or exposed to operators, turning routine order lookup into unnecessary PII disclosure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script performs a refund submission immediately after fetching order details and deriving product IDs, without any explicit user confirmation or secondary verification step. In a flight-booking skill, refund operations can be financially impactful and operationally disruptive, so accidental invocation, parameter mistakes, or misuse by an upstream agent could trigger unwanted refunds.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The description advertises a wide range of flight-related actions, including search, booking, rescheduling, and refund processing, without defining narrow activation criteria or clear boundaries for when the skill should engage. In an agent environment, this can cause over-broad invocation on ambiguous user requests and may lead the skill to handle sensitive travel and transaction workflows when another tool or explicit confirmation should be required.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal