ClawHub
Back to skill

Security audit

AI机票预订助手

Security checks across malware telemetry and agentic risk

Overview

This flight-booking skill has a coherent purpose, but it handles real orders, refunds, credentials, and identity data with unsafe transport and storage choices that need review before use.

Install only if you intend to use this for real Chinese flight booking workflows and are comfortable sending passenger identity data to the configured external service. Before using it for real orders, the publisher should restore normal TLS verification, store credentials in a protected per-user location, mask PII in output, fix command examples, and require explicit confirmation before booking, cancellation, rescheduling, or refund submission.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The full-flow examples contradict the documented command signatures by appending a phone number to several commands that do not declare that parameter. In practice, this can lead to mis-execution, argument confusion, accidental disclosure of extra PII on the command line, and unsafe operator behavior when implementing or invoking the scripts.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The code explicitly creates an unverified SSL context and uses it for HTTPS requests, which disables certificate validation and makes the client vulnerable to man-in-the-middle interception. In a flight-booking context, these requests can carry authentication data and traveler information, so a network attacker could steal or tamper with sensitive data and API responses.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The authenticated API wrapper also disables TLS certificate verification before transmitting requests that include the apiKey and booking-related business parameters. This allows an active attacker on the network path to impersonate the server, capture credentials, and alter booking or pricing data returned to the skill.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger word “预订” is overly broad for a state-changing purchase workflow. Because this skill can create orders and transmits passenger PII to an external service, a weak trigger increases the risk of unintended order initiation or unnecessary collection/exposure of sensitive data when the user was only discussing options.

Vague Triggers

High
Confidence
94% confidence
Finding
Using the single broad trigger “退票” for refund submission is dangerous because refunding is an irreversible, high-impact state-changing action. In this context the user may be asking about policy or fees, yet the trigger could route directly into a refund-application path involving live orders and financial consequences.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The code persists the returned apiKey via save_api_key(api_key, phone) immediately after OTP verification, but gives the user no warning about credential persistence, storage location, or lifetime. In a flight-booking skill, a stored bearer credential may allow access to booking, refund, rebooking, or personal travel data if the host environment is shared or compromised.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The module stores the apiKey and phone number in a predictable file under the system temporary directory, which is often less protected and may be accessible to other local users or processes depending on platform configuration. Persisting credentials there without restrictive permissions or encryption increases the risk of credential theft and unauthorized API use.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script sends highly sensitive personal data including passenger name, phone number, and government ID number to an API via createOrder without any visible consent prompt, privacy notice, minimization, or transport/privacy safeguards in this file. In a flight-booking context this data flow is functionally necessary, but the absence of explicit disclosure and safeguards increases privacy and compliance risk if the API, logs, or downstream systems are mishandled.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The script prints the passenger's full name, phone number, and ID number directly to stdout before creating the order. This can expose PII in terminal scrollback, shell history capture tools, CI logs, agent transcripts, or support screenshots, making accidental disclosure much more likely in an environment where an AI agent may log command output.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The description advertises a wide range of actions such as flight search, booking, rescheduling, and refunds without clear trigger boundaries or conditions for activation. In an agent ecosystem, overly broad activation wording can cause the skill to be selected in situations involving travel-related language even when the user did not clearly intend transactional operations, increasing the risk of unintended tool use or over-collection of user data.

Natural-Language Policy Violations

Low
Confidence
78% confidence
Finding
The description is written only in Chinese and frames the skill as a Chinese-language assistant without indicating multilingual handling or user language choice. This can cause mismatches between user intent and agent behavior, especially if the orchestrator prefers this skill for relevant intents regardless of the user's language, leading to confusion or incorrect transactional interactions.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal