ClawHub

分贝通机票助手

Security checks across malware telemetry and agentic risk

Overview

This flight-booking skill does what it claims, but it handles credentials, identity data, bookings, changes, and refunds with weak transport and privacy safeguards.

Review before installing. Use only in a trusted local environment, assume passenger and order data may appear in command output or logs, and require explicit confirmation before booking, cancelling, changing, or refunding any ticket. The TLS verification bypass should be fixed before use with real accounts or sensitive travel data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill performs network access and reads/writes local files, including persistent auth material in ~/.fbt_auth.json and cached seat data under /tmp, but declares no permissions. This creates a transparency and consent gap: a host may grant broader capabilities implicitly than users or reviewers expect, increasing the risk of unauthorized data exfiltration or unsafe local state handling.

Tp4

High
Category
MCP Tool Poisoning
Confidence
83% confidence
Finding
The top-level description understates the skill’s real behavior by omitting authentication, local persistence, rule lookup, order detail retrieval, and cancellation capabilities. This mismatch can mislead operators and users about what data is collected, what actions can be taken, and what side effects occur, which is especially sensitive in a travel-booking workflow handling PII and account-linked actions.

Intent-Code Divergence

Medium
Confidence
80% confidence
Finding
The full-flow examples contradict the earlier command definitions by adding an extra phone parameter to order-detail, cancel, endorse, and refund commands. In operational use, such inconsistency can cause developers or orchestrators to pass incorrect arguments, potentially leading to failed actions, accidental disclosure of phone numbers on command lines, or invocation of the wrong backend semantics.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The refund-fee display says the system will automatically submit a refund request upon user agreement, while earlier sections require a separate explicit confirmation step before calling the refund API. In a destructive workflow like ticket refunding, ambiguous confirmation semantics can trigger unintended irreversible actions or weaken the safety boundary between quote and execution.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The code explicitly disables TLS certificate verification via ssl._create_unverified_context() before sending live API requests. That enables man-in-the-middle interception or modification of authentication and booking traffic, which is especially risky for a flight-booking skill handling credentials and personal/travel data.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The authenticated API wrapper also disables TLS certificate validation while transmitting apiKey and business parameters. Because this path carries authenticated requests, an attacker on the network could intercept credentials, tamper with requests, or alter responses used for booking, rebooking, or refunds.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The booking trigger includes very broad phrases such as '订这个' and '预订', which can match casual conversation without sufficient confirmation context. Because booking is a state-changing action involving PII and potential financial commitment, overly permissive invocation increases the chance of unintended order creation from ambiguous or incomplete user input.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Using '退票' as a broad trigger for refund submission is risky because users may mention refunds to ask about policy or fees rather than to execute a cancellation. In this context, refunding is a destructive account action, so loose matching can lead to unintended submission if the agent confuses inquiry with authorization.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The markdown examples include full real-looking personal identifiers such as name, phone number, and national ID despite the skill explicitly handling sensitive PII. Even if illustrative, unmasked examples normalize unsafe handling, risk accidental reuse in testing or logs, and may expose regulated data formats that should be redacted by default.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The order detail template instructs displaying full passenger name, ID number, phone number, and ticket number without masking or warning. In a conversational interface, this can leak sensitive identity and travel information into chat history, logs, screenshots, and downstream telemetry, creating a significant privacy and fraud risk.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill stores the apiKey and phone number in a predictable temporary-directory file (.fbt_auth.json) for up to 90 days, with no file-permission hardening or secure secret storage. On multi-user or shared systems, temporary locations are a weak place for long-lived credentials and personal data, increasing the chance of local disclosure or theft.

Missing User Warnings

High
Confidence
98% confidence
Finding
The code sends authentication and business data over the network while certificate verification is disabled, so the transport is not actually trustworthy even if the URL is HTTPS. In this skill context, the transmitted data can include apiKey, phone, identity details, and booking operations, making interception or tampering materially harmful.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script prints the full `order_data` structure immediately before submitting the endorse request, which likely includes sensitive identifiers such as `order_id`, `ticket_ids`, flight segment details, and possibly passenger-linked booking metadata. In an agent or CLI environment, stdout is often captured in logs, transcripts, or monitoring systems, so this creates an avoidable data exposure risk beyond the intended API call.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script prints sensitive personal and booking data, including passenger name, phone number, identity document number, and ticket number, directly to output without masking or contextual privacy safeguards. In an agent environment, stdout may be logged, surfaced to unintended users, or retained in transcripts, creating a realistic risk of PII exposure even if the API call itself is legitimate.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script performs a refund submission immediately after fetching order details and constructing product IDs, with no confirmation step, dry-run mode, or secondary verification before invoking the refund API. In a flight-booking context, refund requests are financially impactful and may be difficult or impossible to reverse once accepted for processing, so accidental execution by an operator or calling agent can cause real customer harm.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The description advertises a wide set of high-impact actions such as flight search, booking, rescheduling, and refunds without defining clear activation boundaries or user-confirmation requirements. In a travel skill, this can cause the agent to invoke transactional behavior too broadly, increasing the risk of unintended bookings, changes, or refunds from ambiguous user requests.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal