ClawHub

机票比价

Security checks across malware telemetry and agentic risk

Overview

This flight-price skill appears purpose-built, but it routes travel searches through the publisher's cloud proxy using a hardcoded reusable proxy token that is contradicted by its own documentation.

Install only if you are comfortable sending searched routes and dates through the publisher's proxy. The skill should rotate/remove the embedded token and document proxy data handling more clearly before being treated as low-risk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The module docstring claims the script contains no API secrets, but the code hardcodes a live proxy token and endpoint. This creates a direct credential exposure risk: anyone with access to the skill can reuse the token to call the backend proxy, potentially consume paid resources, enumerate backend behavior, or access flight aggregation services through the author's infrastructure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill does not clearly and prominently warn users that their itinerary queries are routed through a cloud proxy and shared with multiple OTA platforms. This undermines informed consent and privacy expectations, especially for travel data that can reveal future movements, preferences, and potentially sensitive personal patterns. The omission is more dangerous here because third-party sharing is central to the skill's operation, not incidental.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
A hardcoded authentication token is sent in every network request via the X-Proxy-Token header, meaning the skill itself distributes reusable credentials to all recipients of the code. Because the token authenticates requests to a remote SCF proxy, an attacker can extract and abuse it outside the intended workflow, leading to unauthorized API usage, quota exhaustion, or downstream data access through the proxy.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal