ClawHub

Google Hotels

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed hotel-search automation skill, with the main caution that it can optionally visit hotel websites after asking the user.

Install only if you trust the GitHub source and agent-browser. Use it for hotel research and price comparison, but avoid signing in, entering payment details, or letting it continue onto hotel or promo-code sites unless you explicitly want that extra check.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill materially expands its scope from Google Hotels search into browsing third-party hotel sites to inspect rates, promo codes, and loyalty offers. That crosses a trust boundary and increases exposure to tracking, consent flows, and booking-related interactions on external domains, which is risky even if the skill says not to complete purchases.

Intent-Code Divergence

Low
Confidence
80% confidence
Finding
The documentation says the skill is 'search only' and 'never complete a purchase,' but later instructs the agent to visit hotel sites for booking-related checks. This inconsistency can mislead users and downstream agents about the skill's real behavior, making accidental scope creep more likely.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The documented workflow expands from Google Hotels browsing into general web searching, navigating to third-party hotel sites, chain booking engines, and promo-code searches. That broadens the skill’s operational scope beyond its declared purpose and can cause the agent to visit unvetted external domains, increasing exposure to prompt-injection, deceptive marketing pages, tracking, and unintended actions on booking flows.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Instructions to search official hotel sites and external promo pages are not necessary for a Google Hotels search skill and create an unjustified trust boundary expansion. In agentic browser contexts, this is dangerous because the agent may be led onto arbitrary third-party pages containing hostile content or persuasive booking flows, which can manipulate extraction, trigger unsafe navigation, or produce results inconsistent with the skill’s stated purpose.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad and overlap with ordinary travel planning language, increasing the chance the skill activates when the user did not intend browser automation or hotel-search behavior. Unintended invocation can cause unnecessary web navigation and handling of potentially sensitive travel itinerary details.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill directs the agent to visit external hotel websites and inspect booking offers without an explicit warning to the user that third-party sites will be opened. This can expose travel dates, destination context, and browsing metadata to external sites and may lead users to believe the agent is still operating only within Google Hotels.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal