ClawHub

飞猪旅行

Security checks across malware telemetry and agentic risk

Overview

This travel-search skill appears purpose-aligned, but it sends travel and location-style queries through cloud proxy services.

Install only if you are comfortable with your travel searches, destinations, dates, hotel preferences, and route or food queries being sent to the skill publisher's cloud proxy and then to travel/map services. Avoid entering highly sensitive itinerary details unless you trust the proxy's privacy claim.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill exposes multiple network-backed tools and explicitly references cloud proxying to third-party services, yet no permissions model or explicit network declaration is documented. This creates a transparency and governance gap: users and platform operators may not realize that queries and possible location/travel data are sent off-platform to external endpoints.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill claims 'official direct' Fliggy connectivity and a narrow travel-search purpose, but the documented behavior extends to Amap-backed food, routing, geocoding, and Marriott-specific functions, while also routing requests through a proxy rather than an obviously official direct endpoint. This mismatch is dangerous because it can mislead users about data flow, trust boundaries, and which third parties receive potentially sensitive itinerary or location information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill sends user-supplied travel queries, destinations, and location-derived data to two third-party SCF proxy endpoints rather than directly to the stated providers, and there is no user-visible notice or consent flow. Because these queries can reveal itinerary plans, movement patterns, and sensitive travel intent, undisclosed transmission to opaque proxy infrastructure creates a real privacy and data-handling risk.

Missing User Warnings

Low
Confidence
90% confidence
Finding
A static proxy token is embedded in the script and used for all outbound requests, which means anyone with code access can reuse the credential against the proxy services. While this is primarily a secret-management issue rather than direct user compromise, exposed tokens can enable unauthorized API use, abuse of the proxy, and broader data access depending on what the backend permits.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal