ClawHub

国内机票查询

Security checks across malware telemetry and agentic risk

Overview

This flight-search skill does what it says: it sends flight search details to a cloud proxy for Fliggy results, with no evidence of hidden persistence, destructive actions, or unrelated data access.

Install only if you are comfortable sending flight search details, including any freeform query text you provide, to the skill publisher's cloud proxy for Fliggy lookup. Prefer structured fields over long natural-language messages if privacy matters.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares and relies on outbound network access via a cloud proxy endpoint, but no explicit permission or trust boundary is documented for that capability. This is risky because user flight queries may be sent to an external service and the skill also references a proxy token, creating potential data exposure and hidden external dependency concerns if the endpoint is misconfigured or untrusted.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill sends user-supplied origin, destination, date, and optional filters to a third-party proxy endpoint, but the code and tool interface do not provide any disclosure or consent mechanism. Even if the data is not highly sensitive by itself, travel intent and itinerary details are still user data, and routing them through a hard-coded external proxy increases privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The natural-language fallback forwards the full freeform user query to an external service, which can include far more personal information than structured flight fields. Because freeform text may contain names, IDs, phone numbers, or broader trip context, sending it without warning or input constraints creates a meaningful privacy exposure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal