ClawHub

AI机票预订助手

Security checks across malware telemetry and agentic risk

Overview

This flight-booking skill is purpose-aligned, but it needs Review because it handles real bookings, refunds, API keys, and passenger identity data with weak transport, storage, and confirmation safeguards.

Review carefully before installing. Use only if you trust the flight-service provider, and avoid entering real passenger ID details until TLS verification, token storage, PII masking, temp-file handling, and explicit confirmation gates for booking, cancellation, change, and refund actions are fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The example workflow contradicts the formal command definitions by introducing extra parameters such as phone numbers for order_detail, cancel_order, endorse flows, and refund flows. In practice, this ambiguity can cause agents or wrappers to pass unintended user data, mishandle PII, or invoke the wrong script interface during sensitive booking, cancellation, or refund actions.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The refund fee display says the system will automatically submit the refund request after showing the fee, which directly conflicts with earlier instructions requiring explicit user confirmation before any refund submission. In a transactional travel skill, this inconsistency can lead to unintended irreversible user actions such as accidental refund initiation.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
This code explicitly disables TLS certificate verification before making HTTPS requests. That permits man-in-the-middle interception or tampering with flight-auth traffic, and in this skill context even the unauthenticated flow may handle login/bootstrap data that should still be protected in transit.

Context-Inappropriate Capability

High
Confidence
100% confidence
Finding
The authenticated API path disables TLS verification while transmitting a persisted apiKey and potentially personal data in extra_params such as name, phone, or ID card. An attacker able to intercept traffic could steal credentials, read sensitive user data, or modify booking requests and responses.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script prints the full `order_data` payload immediately before submitting the change request, which includes sensitive identifiers such as `order_id`, `ticket_ids`, and detailed seat/segment data. In a flight-booking skill, these values may be captured in logs, terminals, agent traces, or shared execution history, creating unnecessary exposure of booking-linked personal and transaction data.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Using broad trigger phrases like '订这个、预订、下单' for order creation risks interpreting casual or exploratory conversation as consent to create a booking. Because this flow collects and transmits PII and can generate payable orders, mis-triggering has real financial and privacy consequences.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The cancel-order trigger includes the vague everyday phrase '不要了', which may refer to abandoning a discussion rather than canceling an actual booking. In the context of a travel transaction system, ambiguous cancellation triggers can cause loss of reservations or user confusion.

Vague Triggers

Medium
Confidence
82% confidence
Finding
Generic phrases like '改期','改签','换航班' are too broad for a stateful booking workflow and may be triggered during informational queries rather than actual modification intent. This is especially risky because change flows can lead to pricing changes and subsequent payable modification orders.

Vague Triggers

High
Confidence
96% confidence
Finding
Including the broad trigger word '退票' for the refund submission action is dangerous because users often say '退票' to ask about policy or fees, not to authorize an actual refund request. Given that refunds can be irreversible or operationally sensitive, conflating inquiry and submission creates a high risk of unintended ticket cancellation/refund initiation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill stores the apiKey and phone number in a predictable temp-directory file for 90 days, with no permission hardening, encryption, or user notice about persistence. On multi-user systems or insecure environments, other local processes or users may be able to read or replace this file and obtain credentials.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends highly sensitive personal data including the passenger's real name, phone number, and government ID number to an API, but provides no privacy notice, consent prompt, masking, or explanation of how the data will be used. In a flight-booking context this transmission may be functionally necessary, but the absence of disclosure and safeguards increases the risk of unintended data exposure, mishandling, or user deception.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Sensitive order and ticket data is emitted to stdout without any minimization or consent, which is especially risky in an agent skill where stdout is often persisted to platform logs or visible to operators. Because this is a flight-management workflow involving real bookings, leaking these identifiers can facilitate unauthorized order lookups, social-engineering, or privacy violations.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script persists flight and seat selection data to a temporary JSON file, and the file path is printed to stdout, creating unnecessary local retention of travel/order-related information. In a ticketing assistant context, this data can be sensitive operational metadata and may be exposed to other local users, later processes, or logs if the temp file is not access-controlled and cleaned up.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script prints personally identifiable information from order data, including passenger names, phone numbers, identity document numbers, and ticket numbers, directly to stdout. In an agent or shared terminal/logging environment, this can expose sensitive travel and identity data to unauthorized users, logs, transcripts, or downstream tools without any masking, access check, or explicit confirmation that full PII should be revealed.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script submits a refund request immediately after collecting order details and product IDs, without any explicit confirmation step from the user before invoking the transactional refundApply API. In a flight-booking skill, refund actions can alter bookings and trigger financial consequences, so accidental invocation, argument tampering, or unsafe orchestration could cause unintended cancellations or refund processing.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The description advertises a wide range of high-impact actions such as flight search, booking, rescheduling, and refund processing without defining clear trigger boundaries or user-consent constraints. In a travel skill, this can cause over-broad invocation and unsafe handling of transactional requests, increasing the chance of unintended bookings, modifications, or refunds based on ambiguous user input.

Natural-Language Policy Violations

Medium
Confidence
77% confidence
Finding
The description is written entirely in Chinese and implies Chinese-language operation without indicating multilingual support or user choice. While not directly enabling code execution, this can mis-handle user intent, reduce transparency, and cause risky misunderstandings in travel transactions where dates, passenger details, and change/refund terms must be precise.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal