ClawHub

tripclaw

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it sends user-provided trip itineraries to TripClaw using a user-supplied API key.

Install only if you trust TripClaw and want itinerary details such as routes, lodging, activities, dates, and budget sent to your TripClaw account. Keep the API key private, prefer a revocable or scoped key if available, and ask to review the itinerary JSON before syncing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs use of environment variables, local files, and a networked Python script to send itinerary data, but the manifest does not declare permissions or clearly scope those capabilities. This creates a transparency and consent problem: a host may invoke a skill that can access sensitive API keys and exfiltrate itinerary data over the network without explicit permission review.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The description “提及 TripClaw 行程同步时触发” does not define clear activation boundaries, so merely discussing TripClaw sync could trigger the skill. Because the skill can package travel details and send them to a remote API, ambiguous activation increases the risk of unintended data disclosure or unauthorized external actions.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The description “提及 TripClaw 行程同步时触发” does not define clear activation boundaries, so merely discussing TripClaw sync could trigger the skill. Because the skill can package travel details and send them to a remote API, ambiguous activation increases the risk of unintended data disclosure or unauthorized external actions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal