ClawHub

亲子出行助手

Security checks across malware telemetry and agentic risk

Overview

This family travel skill does what it claims, but users should know that attraction and weather lookups send city or destination details to external proxy services.

Install only if you are comfortable sharing travel lookup details such as city, destination, attraction keywords, and child age with the skill author's proxy services and downstream travel/weather APIs. Avoid entering precise home addresses, full itineraries, names, contact details, or other sensitive family information unless necessary.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
74% confidence
Finding
The trigger conditions are broad enough to match many general family-travel or ticket-related conversations, which can cause the skill to activate outside narrowly intended scenarios. Over-triggering can expose more user queries than necessary to the skill's downstream services and may lead to irrelevant or unsolicited processing of travel-related personal context.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly states that user inputs are sent to a proxy service and third-party travel and weather APIs, but it provides no user-facing privacy notice, consent cue, or data-minimization guidance. Because the use case involves children and family travel, transmitted queries may contain sensitive location, itinerary, and child-age information, making undisclosed sharing more concerning.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill sends user-supplied location data such as city or destination to external proxy services (Fliggy, Tuniu, and Amap/Gaode) to fetch attractions and weather, but there is no user-facing disclosure, consent, or minimization. This creates a privacy risk because travel-related location queries can reveal sensitive personal context about a family’s plans and are transmitted to third-party endpoints hardcoded in the skill.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal