ClawHub

coffee-tour

Security checks across malware telemetry and agentic risk

Overview

This flight-search skill is not malicious, but it needs review because it can automatically install a persistent global travel CLI and its scope is broader than its coffee-tour framing.

Review before installing. Use it only if you are comfortable with an agent installing a global npm CLI and sending travel-search details to the flyai/Fliggy provider. Prefer manual approval of the install, verify the package source/version, and use a narrower skill for non-coffee or non-flight travel requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill explicitly states that only parameters listed in the table may be used, but the Direct Route playbook later invokes an undocumented flag (`--journey-type 1`). This creates an instruction inconsistency that can cause agents to ignore safety/validation constraints, improvise unsupported commands, or rely on hidden CLI behavior not reviewed in the skill.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation trigger includes the Chinese phrase `出行预订`, which is broad enough to match generic travel-booking requests unrelated to coffee tourism. Overbroad triggers can cause the wrong skill to activate, pushing users into an execution path that installs/runs external tooling and handles broad travel transactions outside the intended domain.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The manifest description advertises flights, hotels, trains, attraction tickets, visas, insurance, car rental, and more, far beyond a narrowly named `coffee-tour` skill. This scope inflation makes invocation boundaries ambiguous and increases the chance that the skill is selected for unrelated high-impact travel tasks the workflow and safeguards were not designed to govern.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger terms for the Cheapest Option playbook include very broad words like "cheap" and "budget," which can appear in many travel-related user requests that do not explicitly ask to prioritize lowest price. This can cause unintended playbook selection and steer the agent toward a pricing-focused workflow, potentially producing incorrect bookings or recommendations that do not match user intent.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The Fastest Route playbook is activated by generic terms such as "fast" and "quick," which are highly ambiguous in a travel assistant that also handles hotels, trains, tickets, and itinerary planning. This increases the chance of misrouting requests into a flight search sorted by speed, leading to unintended actions or recommendations inconsistent with the user's actual request.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The fallback condition "0 results from above playbooks" is operationally ambiguous because it does not define which playbooks were attempted, in what order, or under what scope the fallback should fire. In a multi-capability travel skill, this can trigger overly broad searches and keyword queries that expand beyond the user's intended constraints, increasing the risk of irrelevant results or incorrect downstream actions.

Ssd 4

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to check for `flyai`, then install it globally via `npm i -g @fly-ai/flyai-cli` and continue execution. This creates a trust-to-action chain where unverified external software is fetched and executed based solely on prompt instructions, materially increasing supply-chain and arbitrary code execution risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal