ClawHub

garden-parks

Security checks across malware telemetry and agentic risk

Overview

This travel skill is not clearly malicious, but it asks agents to install a global CLI and save raw travel queries locally without enough user control.

Review before installing. Use it only if you are comfortable sending garden and park searches through FlyAI/Fliggy, manually approve any CLI installation, and disable or inspect `.flyai-execution-log.json` logging if you do not want travel queries saved locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The README frames the skill as a narrow parks/gardens exploration tool, but the same section says it wraps flyai-cli for real-time travel data and booking links, which is a materially broader capability. This mismatch can mislead users and agents about what data may be sent externally and what actions or commercial flows the skill may enable, increasing the risk of over-trust and unsafe invocation.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The Chinese documentation repeats the same scope inconsistency: it presents a benign garden/park exploration use case while also stating that it provides real-time travel data and booking links. In a multilingual skill, inconsistent or incomplete disclosure is especially risky because some users may rely on one language version and miss the broader networked behavior.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The README says the skill provides real-time travel data and booking links, implying outbound network access and possible transmission of user-supplied travel details, but it does not disclose this behavior or any data-handling considerations. While this is documentation-level rather than direct code execution risk, lack of transparency can cause users or agent frameworks to expose itinerary or preference data without informed consent.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation triggers are broad enough that ordinary travel queries containing generic terms like 'park' or 'flowers' may invoke this skill outside its narrow intended scope. In this skill, over-activation is more dangerous because activation leads to command execution behavior and possible package installation, so an imprecise trigger can cause unnecessary external tool use and system modification.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs the agent to install a global npm package if the CLI is missing, which modifies the host environment without explicit user consent. This is dangerous because it turns a content lookup skill into one that can perform privileged supply-chain-affecting actions, and the broad activation conditions increase the chance this happens unexpectedly.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The runbook explicitly logs raw user input, CLI commands, statuses, and latency in an internal execution log, which can capture sensitive travel details, personal identifiers, credentials accidentally pasted by users, or operational data. Because the file states this is persisted and not shown to users, it creates an undisclosed retention and leakage risk if logs are accessed, exfiltrated, or reused beyond the original request.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The runbook instructs appending execution log JSON to a local file, creating persistent storage of potentially sensitive request and operational data on disk. Local writes increase exposure to unauthorized access by other processes, users, backups, or later support/debug workflows, especially since no notice, encryption, or retention limits are described.

Ssd 3

Medium
Confidence
98% confidence
Finding
Taken together, the runbook defines a durable audit trail containing raw natural-language user input, command execution details, fallback behavior, and output metadata, which materially increases data retention and privacy risk. In this travel-related skill context, user queries may contain itinerary dates, destinations, names, booking preferences, and other personal or commercially sensitive information, making the logging design more dangerous than generic telemetry.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal