ClawHub
Back to skill

Security audit

Resy Hunter

Security checks across malware telemetry and agentic risk

Overview

This skill fits its reservation-monitoring purpose, but it deserves review because it uses real account credentials, saved sessions, background monitoring, and Telegram credential reuse from local OpenClaw config.

Review before installing. Use only on a trusted machine, prefer dedicated Resy/OpenTable/Telegram accounts or tokens, avoid sharing logs or config that contain credentials, protect or delete ~/.openclaw/data/resy-hunter when done, and enable cron monitoring only if you are comfortable with repeated background requests and Telegram alerts containing reservation details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Description-Behavior Mismatch

Low
Confidence
89% confidence
Finding
The documentation understates the skill's data handling by framing it as reservation monitoring while it also reads Telegram configuration and stores watchlist and browser session data on disk. This mismatch can mislead users about persistence and credential-adjacent data exposure, creating privacy and local compromise risk if those files are not adequately protected.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill uses browser automation for OpenTable login and explicitly advertises Cloudflare-bypass behavior for Tock, which is more invasive than simple availability checks and may expose authenticated sessions or encourage unsafe anti-bot circumvention. That broader behavior raises the security and compliance risk surface beyond what users may expect from a monitoring tool.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
Calling the skill 'read-only' is misleading because it also directs the agent to create/remove cron jobs and write watchlist/session files. Mislabeling write and scheduling behavior can cause users to authorize the skill under false assumptions, which is dangerous when persistent background execution is involved.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This reference explicitly instructs users to extract a static API key from browser traffic and use a reverse-engineered private API with account credentials. That creates clear guidance for credentialed access to an unofficial interface, increasing the risk of account compromise, Terms-of-Service violations, and unsafe handling of authentication material beyond the stated reservation-monitoring purpose.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script searches unrelated OpenClaw configuration files in the user's home directory and reuses any Telegram bot token it finds. This creates a cross-context secret harvesting issue: a skill can silently appropriate credentials from another application or agent configuration and use them for its own outbound messaging, which violates least privilege and can enable unauthorized use of an existing bot identity.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The description does not prominently warn that background monitoring can send restaurant preferences, dates, party sizes, and availability activity through Telegram alerts. Even if expected functionally, this is a privacy-sensitive data flow to a third-party messaging channel and should be disclosed up front.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The credential setup instructs users to supply Resy email, password, and an extracted API key without a strong warning about handling sensitive secrets or limiting their exposure. Encouraging manual secret extraction and storage increases the risk of credential leakage, accidental logging, and misuse by the skill or surrounding tooling.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation explicitly instructs use of account credentials and persistent browser session storage, including a concrete filesystem path for saved authenticated state, but provides no warning about protecting those secrets or the risks of session-token reuse. In a skill that automates third-party accounts via Playwright, exposed credentials or stolen session files could allow unauthorized access to the user's OpenTable account and potentially enable account misuse from the persisted browser context.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document tells users how to obtain and use sensitive authentication material, including a static API key, auth token, and email/password flow, without any warning about secret exposure, storage, rotation, or minimization. In a skill designed to monitor reservations, this makes the capability more dangerous because it normalizes collecting high-value account credentials for an unofficial service integration.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script automatically retrieves a bot token and transmits arbitrary message content to Telegram without any user-facing disclosure, confirmation, or consent boundary. In a skill that monitors reservations this may seem expected, but because it can source credentials from external configs and send whatever message is supplied, it can be repurposed to exfiltrate sensitive data or send unauthorized notifications silently.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script persists Playwright storage state back to a fixed file under the user's home directory, which can include authenticated cookies, tokens, and other session material. If that file is readable by other local users, copied into backups, or exfiltrated by another process, an attacker could reuse the OpenTable session and impersonate the user.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script caches a live Resy auth token to a local file under the user's home directory, but does not set restrictive file permissions or use a protected credential store. On multi-user systems, shared environments, backups, or if default umask is permissive, the token could be exposed and reused by another local process or user until it expires.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script automatically invokes a secondary authentication flow and then immediately uses API credentials to query a third-party service without any explicit user confirmation or disclosure at runtime. In an agent/skill context, this can cause unintended use of stored credentials and silent external requests, which is risky even if the destination is the expected Resy API.

Session Persistence

Medium
Category
Rogue Agent
Content
],
    });

    // Load saved session
    const context = await browser.newContext({
      userAgent: 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36',
      viewport: { width: 1280, height: 800 },
Confidence
81% confidence
Finding
Load saved session

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal