ClawHub

Ctg Travel Booking

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches a travel-booking purpose, but it can save passenger identity data and create, cancel, or refund real bookings with incomplete confirmation and privacy safeguards.

Review this carefully before installing, and prefer the newer version linked by the skill. Use it only with a CTG account and API key you trust, provide only necessary passenger details, verify HTTPS configuration, and require the agent to show a final summary before any booking, cancellation, or refund.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (23)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This ticket-focused API spec includes passenger-profile listing and saving operations that collect and persist sensitive personal data such as names, identity numbers, and phone numbers. Expanding from ticket search/booking into reusable passenger-profile management increases privacy and authorization risk, especially if users are not clearly informed or if the agent can access previously stored passenger records across sessions.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The guide establishes a safety expectation that each step requires user confirmation, then overrides that safeguard by instructing the agent to create the flight order immediately after collecting contact information. In a booking context, this can cause unauthorized or accidental reservations, especially because users may believe they are still reviewing details rather than committing to an order.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger list is broad enough to activate on common travel-related conversation, causing the skill to engage in transactional flows when the user may only be asking general questions. In a booking and refund context, overbroad activation increases the risk of collecting unnecessary personal/travel data or steering users into actions they did not clearly intend.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The refund routing uses generic phrases like '申请退款' and '确认退票' across multiple resource types, so a user request can be mapped to the wrong refund workflow. In a system that can cancel paid travel products, ambiguous routing could cause unintended cancellations, data exposure from the wrong order lookup, or erroneous refund handling.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The savePassenger operation collects and stores highly sensitive personal data, including full name, government ID number, and phone number, but the manifest provides no warning, consent language, retention notice, or privacy constraints. In a travel-booking skill, this omission is dangerous because the agent may solicit and persist regulated identity data without making clear to the user that storage is occurring.

Vague Triggers

Low
Confidence
88% confidence
Finding
The createOrder operation is a consequential booking action that can commit the user to a ticket purchase workflow, yet its description is minimal and does not communicate approval boundaries or confirmation expectations. In this skill context, broad booking actions are more dangerous because triggers like '买票' and '订票' could cause the agent to move from search to order placement without sufficiently explicit user confirmation.

Missing User Warnings

High
Confidence
98% confidence
Finding
This operation requests and stores sensitive passenger PII without any explicit warning in the skill manifest that such data will be collected, retained, or used for downstream booking. Because identity numbers and phone numbers are especially sensitive, a user may unknowingly provide information that becomes stored in an external service, increasing privacy, compliance, and misuse risk.

Missing User Warnings

High
Confidence
97% confidence
Finding
The order-creation method can trigger a consequential real-world transaction, but the manifest lacks an explicit warning that invoking it creates a booking order with potential financial and travel consequences. In a travel assistant, this is particularly risky because users may interpret the interaction as exploratory search while the backend performs a state-changing reservation step.

Missing User Warnings

High
Confidence
98% confidence
Finding
The cancelOrder operation is destructive and user-impacting, yet there is no explicit warning that it will cancel an existing booking. In this context, cancellation of travel can cause immediate operational harm, loss of reservations, fees, or itinerary disruption if triggered accidentally or through misunderstood user instructions.

Vague Triggers

Medium
Confidence
73% confidence
Finding
The refund endpoints are described in broad, action-oriented terms such as '必调' and '申请火车票退票' without embedding clear eligibility checks, authorization requirements, or exclusion conditions in the skill contract. In a travel-booking skill triggered by broad user intents, this increases the risk that an agent could invoke refund-related actions without adequately confirming order ownership, refundability, passenger scope, or prior user consent, leading to unauthorized or erroneous refunds.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger condition "退订/退款酒店" is broad enough to match conversational mentions that are not clear requests to actually initiate a refund workflow. In a booking/refund skill, accidental invocation can expose order history or start a sensitive cancellation flow without sufficiently explicit user intent, making this more dangerous than in a low-risk informational skill.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger condition '预订/查询酒店' is broad enough to activate the skill during general hotel-related conversation, not just clear booking intent. In a transactional skill that can access passenger data and create orders, over-broad invocation increases the risk of unintended data access or accidental progression into booking workflows.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide handles highly sensitive personal data including full name, national ID number, and phone number in travelerList and savePassenger examples, but provides no privacy notice, minimization guidance, masking, or consent language. In a travel-booking context this materially raises privacy and compliance risk because the skill may solicit, display, log, or reuse identity data during reservations.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger examples include very broad phrases such as '退票' and '我要退票', which can be matched in ordinary conversation without a strong confirmation that the user intends to enter a refund flow for a specific paid flight order. In a financial operation context, accidental activation can expose order details or steer the agent into a refund workflow prematurely, increasing the risk of erroneous or unauthorized refund attempts.

Missing User Warnings

High
Confidence
98% confidence
Finding
The instruction to 'directly place the order, no second confirmation needed' removes a critical transactional safeguard in a high-impact purchase flow. Even if payment occurs later, creating the order can reserve inventory, trigger downstream workflows, confuse users, and expose them to unwanted commitments or pressure to complete payment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide shows a direct path from fetching refund info to calling `ticket.refund` without requiring an explicit user confirmation immediately before submission. Because ticket refunds are financially impactful and potentially irreversible, an agent following this guide could cancel a paid ticket based on ambiguous intent, stale context, or mistaken order selection.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger condition is broad enough to match common conversational terms around travel, booking, and tickets, which can cause the skill to activate when the user did not intend to initiate a booking workflow. In a skill that can guide or initiate order creation, accidental activation increases the risk of collecting personal data or progressing toward a transaction without clear user intent.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The documentation includes full-format examples of highly sensitive personal data fields such as Chinese ID numbers and phone numbers, but provides no guidance on masking, redaction, storage minimization, or safe handling. In a travel-booking context, these fields are operationally required, so omission of privacy safeguards makes inadvertent exposure in logs, chat transcripts, screenshots, or debugging output materially more likely.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list includes broad natural-language phrases like “退票/我要退票/申请退款/取消这张火车票(已支付)”, which can be matched during ordinary conversation without strong proof of user intent or order specificity. In a travel-booking skill tied to refund APIs, unintended activation can lead to the assistant initiating a destructive cancellation workflow, exposing order details or preparing a refund request for the wrong booking.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This guide documents a destructive refund flow and only relies on a thin confirmation convention (“确认退票”) after showing deduct/refund information, without documenting stronger safeguards such as explicit order binding, passenger-by-passenger confirmation, consequences disclosure, or a non-ambiguous final consent step. Because train.refund submits an irreversible financial action, weak confirmation logic increases the risk of accidental or socially engineered refunds, especially if the skill is triggered from loosely phrased user input.

Missing User Warnings

High
Confidence
95% confidence
Finding
The guide includes concrete examples for collecting and submitting highly sensitive personal data such as full name, government ID number, and phone number, but provides no privacy notice, masking guidance, retention limits, or handling restrictions. In a booking skill, this increases the risk of over-collection, accidental disclosure in logs, prompt transcripts, screenshots, or unauthorized downstream use of personal data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document describes order creation, status polling, and cancellation flows that change a user's transaction state, yet it does not require explicit confirmation, summarize charges, or warn about financial consequences before executing these actions. In a travel-booking context, this can lead to unauthorized purchases, accidental cancellations, or disputes caused by agent misinterpretation or premature action.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script sends request parameters together with authentication material to a remote endpoint, and get_call_url() permits plain HTTP when host lacks an https:// prefix. In a travel-booking skill, params can include sensitive itinerary and personal booking data, while auth values can be intercepted or modified by a network attacker if transport security is not enforced.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal