ClawHub

Explore Tibet

Security checks across malware telemetry and agentic risk

Overview

This Tibet travel skill has a legitimate travel-planning purpose, but it needs review because it can auto-install a global CLI, send trip details to a third-party service, and persist raw request logs locally.

Install only if you are comfortable with the agent installing and running the flyai CLI, sending travel searches to that provider, and creating local execution logs. Avoid entering passport, payment, or highly sensitive itinerary details unless logging is disabled or clearly managed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill explicitly instructs the agent to install and execute a global npm package (`npm i -g @fly-ai/flyai-cli`) automatically, without requiring user consent or any integrity verification. This creates a supply-chain and arbitrary code execution risk, because package install scripts and the installed CLI run with the user's privileges and may alter the host environment.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger phrase "Tibet trip" is overly broad and can match many ordinary travel-related user requests without enough specificity to ensure the correct playbook is invoked. In a transactional travel skill that may lead to flight, hotel, or attraction booking flows, broad activation increases the risk of unintended workflow execution and parameter mapping against the wrong itinerary.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The phrase "complete Tibet" is ambiguous and does not clearly express whether the user wants itinerary inspiration, a multi-city route, or actual bookings. Because this playbook maps to a complex multi-day sequence, ambiguous activation could cause the agent to select an expansive itinerary that does not match user intent, increasing the chance of erroneous recommendations or downstream booking actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The runbook explicitly records `user_query` as raw input in an internal execution log, which can capture sensitive personal, travel, payment-adjacent, passport, visa, or itinerary details. In the context of a travel-booking skill, retaining raw user input without notice, minimization, or redaction creates unnecessary privacy and compliance risk if logs are accessed, leaked, or reused beyond the immediate transaction.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instructions tell the agent to append execution logs to a local file, which can silently persist user data and operational metadata on disk. Because this skill handles travel planning and bookings, the stored logs may include sensitive trip details and identifiers, increasing exposure through local compromise, accidental inclusion in artifacts, or broader access by other processes or operators.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal