ClawHub

extended-stay

Security checks across malware telemetry and agentic risk

Overview

This travel booking skill mostly does what it claims, but it can auto-install a global CLI and store raw travel queries locally without clear user consent.

Install only if you trust the flyai CLI and are comfortable with travel-search details being sent to that provider. Require explicit approval before any npm install, prefer an isolated or pinned CLI installation, and disable or delete `.flyai-execution-log.json` if you do not want raw itinerary searches retained locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The runbook explicitly requires logging raw user queries and detailed execution metadata for every invocation, which exceeds what is necessary to fulfill a travel-booking skill. In this context, user queries may contain sensitive travel details, personal identifiers, dates, destinations, or booking preferences, creating avoidable data collection and retention risk if logs are accessed, reused, or breached.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The runbook instructs the agent to persist execution logs to a local file, introducing durable storage of potentially sensitive request and command data without clear necessity for the skill's travel function. Persistent local logging increases exposure by leaving recoverable artifacts on disk that may be read by other processes, users, backups, or later compromise.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly directs the agent to install a global npm package when a command is missing, which would modify the user's environment without an explicit consent gate. In an agent setting, automatic package installation can introduce supply-chain risk and unexpected system changes, especially because global installs execute package lifecycle scripts with the user's privileges.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The prerequisites section presents a global install command as a normal setup step without warning about environment modification or the trust implications of installing third-party code. Because this is a travel-booking skill rather than a system-administration tool, silently normalizing global package installation is riskier and less expected by users.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
This workflow mandates automatic remediation by running `npm i -g @fly-ai/flyai-cli` after a failed environment check, creating a direct path from ordinary user query to code installation and execution. That is particularly dangerous in agent workflows because it can be triggered without meaningful user awareness, expanding the attack surface to npm package compromise, typo-squatting, or malicious postinstall behavior.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document states that the agent maintains an internal execution log and the schema includes the raw user query, but there is no accompanying disclosure or consent mechanism. For a travel skill, users may reasonably provide sensitive itinerary and identity-related details, so undisclosed collection of raw input undermines transparency and can violate privacy expectations or policy requirements.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The runbook describes writing execution data to disk but does not disclose to users that their request and related operational metadata may be persisted locally. Hidden persistence is especially risky in a travel-booking context because requests can contain personal travel plans and booking-related details that users would not expect to be stored as local artifacts.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal