ClawHub

group-tour

Security checks across malware telemetry and agentic risk

Overview

This travel-search skill appears purpose-aligned, but it can automatically install a global CLI and persist raw travel queries without clear user control.

Review before installing. Use only if you trust the FlyAI CLI source, approve any global npm installation yourself, and are comfortable sending travel searches to FlyAI/Fliggy. Check for or disable `.flyai-execution-log.json` if you do not want travel requests stored locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The runbook explicitly records the raw user query and every CLI command in an internal execution log, which creates unnecessary collection of potentially sensitive travel-related data. In this skill context, user queries may contain personal identifiers, passport/visa details, trip dates, destinations, and booking preferences, so broad logging expands exposure without clear necessity for core functionality.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The README states that the skill wraps a CLI to provide real-time travel data and booking links, which implies external network access and possible transmission of user queries or travel details to a third-party service. Failing to disclose this behavior can mislead users and agent operators about data flows, consent, and privacy expectations, especially in environments that restrict outbound access or sensitive data sharing.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs the agent to act as a CLI executor and to install and run software, but it provides no user-facing warning or consent step before executing shell commands that may change the host system. This creates a real safety issue because an agent following the instructions could modify the environment unexpectedly, especially on systems where global npm installs affect shared tooling or require elevated privileges.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The prerequisites section tells the agent to perform a global npm install but omits any warning that this will install third-party software onto the user's machine. That omission is dangerous because it normalizes silent system modification and can lead to unauthorized package installation, dependency trust issues, and possible supply-chain exposure.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The environment-check workflow automatically falls back to `npm i -g @fly-ai/flyai-cli` when the command is missing, with no warning or approval step. This is a concrete unsafe execution path because the skill directs an agent to change the user's system state automatically, potentially introducing unreviewed software or breaking existing tooling.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The playbooks hard-code Chinese-language search queries for all tour intents, which can mis-handle user requests when their preferred language or locale differs. This can lead to incorrect or inaccessible results, confusion about product details, and downstream booking errors if users rely on returned tours they cannot properly review.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The schema stores raw user input and the runbook permits appending the generated log to a local file without any disclosure or consent mechanism. This creates a privacy and security risk because travel-booking interactions often include sensitive personal and itinerary data, and filesystem persistence increases the chance of later unauthorized access, unintended retention, or secondary reuse.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal