ClawHub

Pack Smart

Security checks across malware telemetry and agentic risk

Overview

This packing-list skill needs Review because it can install and run an external travel CLI, pushes booking-link results, and records raw user queries locally without clear user control.

Install only if you are comfortable with the agent installing and running the flyai npm CLI, sending packing/travel queries through that provider workflow, receiving booking-link-oriented results, and potentially writing raw prompts and command details to a local log file. Prefer using it in a controlled environment and clearing or disabling the log if sensitive trip details are involved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill is advertised as a packing-list generator, but its core execution rules force all answers to come from a travel-booking/search CLI and require booking links in every result. This mismatch can mislead the agent into invoking unrelated external tooling and presenting booking-oriented content when the user only asked for packing advice, increasing the risk of unintended command execution and deceptive output.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The documented workflow claims to generate customized packing lists, but the prescribed commands are only generic keyword searches for travel-list phrases and the output must be formatted with booking links. That creates a deceptive abstraction where the agent may surface irrelevant or fabricated-looking results under the guise of a customized packing list, undermining user trust and safe tool use.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The manifest description advertises a very broad set of travel services beyond packing lists, which can cause the skill to activate for many unrelated travel intents. Over-broad activation expands the attack surface by increasing the chance an agent routes user requests into this skill, where it may run external commands or install software unnecessarily.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to install a global npm package and execute an external CLI, but provides no user-facing warning, consent step, or trust guidance. In an agent environment, silent software installation and command execution can change the system state, introduce supply-chain risk, and violate user expectations about what the skill will do.

Natural-Language Policy Violations

Medium
Confidence
76% confidence
Finding
The playbook hard-codes a Chinese-language search query ("旅行清单 {dest}") without checking the user's language or locale, which can cause the agent to retrieve results the user cannot understand or did not intend to request. In a travel-assistant context, this is not directly dangerous like code execution, but it can degrade result integrity and mislead users by forcing opaque third-party content selection.

Natural-Language Policy Violations

Medium
Confidence
78% confidence
Finding
This beach-packing playbook forces the Chinese query "海边旅行清单" regardless of the user's language, introducing an avoidable mismatch between user intent and backend retrieval. The main risk is integrity and transparency: users may receive language-specific or region-specific recommendations without consent, making the skill less trustworthy and potentially less useful.

Natural-Language Policy Violations

Medium
Confidence
78% confidence
Finding
The winter-packing playbook similarly hard-codes the Chinese query "冬季旅行清单" with no opt-in or locale justification. While the context is a travel/packing skill and not an obviously hazardous domain, the forced language choice can still produce confusing or biased outputs and reduces user control over how external search is performed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The runbook explicitly defines an internal execution log that captures raw user input, command history, timestamps, and operational metadata. Even without obvious malicious intent, retaining this data by default creates a privacy and data-exposure risk because sensitive travel, identity, booking, or location details may be stored and later disclosed through local access, debugging, or log aggregation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The file instructs the agent to append execution logs to a local file whenever filesystem writes are available, but provides no user notice, consent model, retention policy, or protections for that file. This makes sensitive operational and user-derived data durable on disk, increasing the chance of unauthorized access, forensic recovery, or accidental inclusion in backups and support bundles.

Ssd 3

Medium
Confidence
97% confidence
Finding
The schema includes a `user_query` field containing raw input, which can naturally capture sensitive free-form content such as passport questions, travel dates, locations, personal preferences, booking details, or payment-adjacent information. Storing raw natural-language input expands the attack surface because secrets and PII are hard to reliably detect after the fact and may be exposed through logs, error reports, or later analysis.

Ssd 3

Medium
Confidence
95% confidence
Finding
Persistent logging of all skill activity can accumulate a detailed history of user interactions, commands, recovery behavior, and outputs over time, making the resulting file a concentrated source of sensitive information. In a travel-oriented skill that may handle itinerary, booking, visa, insurance, and transportation-related requests, the retained data can reveal highly personal movement and planning patterns.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal