ClawHub

同程程心 Tongcheng Chengxin Travel Search

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed travel-search integration that sends travel queries to Tongcheng’s API and does not show hidden persistence, broad file access, or unrelated data collection.

Before installing, treat the Chengxin API key like a secret: prefer the platform’s secure environment-variable setting, avoid pasting keys into ordinary chat when possible, and confirm where any assistant-assisted configuration will be saved. Travel details you query will be sent to Tongcheng’s declared API to retrieve live results.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation instructs the assistant to configure a user-provided API key into the skill automatically, but it does not require a clear warning, confirmation step, or safe-handling guidance for sensitive credentials. In an agent setting, this can normalize secret ingestion and storage without ensuring the user understands where the credential will be written or whether it may be exposed in logs, memory, or conversation history.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The document defines broad user-trigger phrases such as '用 chengxin 技能查询 XXX' and commands to '按 SKILL.md 要求调用脚本执行', which can overlap with ordinary user requests and cause the agent to enter a privileged scripted mode unexpectedly. Because the behavior is marked as '强制执行' and instructs the model to output script results without modification, an attacker could use natural-language prompt injection to force tool invocation or bypass normal response shaping.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal