Travel Claw(旅行龙虾)

Security checks across malware telemetry and agentic risk

Overview

Travel Claw is a prompt-only travel story generator with a minor transparency issue around automatic language choice, but no evidence of unsafe access, persistence, or hidden data handling.

Install if you are comfortable with a bilingual creative skill using the current conversation to choose nickname and language. For better control, tell it your preferred language explicitly and only approve image search when you want it to contact public image services.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Natural-Language Policy Violations

Medium

Confidence: 88% confidence
Finding: The skill explicitly states that language is selected automatically based on whether the user appears Chinese or not, which infers a user attribute from context rather than asking preference directly. While this is framed as a UX feature and only affects presentation, it can misclassify users, reveal profiling behavior, and create an avoidable privacy concern around inferred language/identity.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal