ClawHub

mountain-flight

Security checks across malware telemetry and agentic risk

Overview

This travel-search skill is mostly aligned with its purpose, but it needs review because it can install a global CLI and persist sensitive travel queries without clear user control.

Install only if you are comfortable with a third-party travel CLI handling your itinerary searches. Approve any package installation yourself, avoid entering highly sensitive identity or visa details, and check whether .flyai-execution-log.json is created so you can delete or disable persistent logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The fallback for a past date is internally contradictory: it says not to search, but then instructs an automatic search for the next available date. In a travel-booking skill, this can cause actions or queries that the user did not explicitly authorize, leading to incorrect results, unintended bookings/searches, or policy bypass around invalid input handling.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The runbook directs the agent to retain raw user queries and full CLI command details in an internal execution log, which exceeds what is necessary for a travel-booking skill. In this context, user queries may contain sensitive travel details, personal identifiers, dates, destinations, or booking-related data, and detailed command logging can expose internal parameters or downstream tokens if ever included in commands.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The runbook explicitly persists execution logs to a local file, creating unnecessary durable storage for potentially sensitive interaction data. For a travel-assistance skill, filesystem persistence is not required for core functionality and increases the chance of later disclosure through host compromise, misconfiguration, log collection, or unintended access by other processes.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The fallback flow broadens behavior by issuing both a flight search and a keyword-search against an external service without any disclosure or consent boundary. This is more dangerous than the primary playbooks because it can transmit user itinerary details to an additional search path, increasing privacy exposure and unexpected external querying beyond the user’s immediate request.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document states that the agent maintains the log internally and that it is not shown to users, while the schema includes raw user input. This creates undisclosed data retention and observability of user content, which is especially concerning in a travel skill where users may provide personal itineraries, names, locations, visa details, or insurance-related information.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal