ClawHub

Packing List

Security checks across malware telemetry and agentic risk

Overview

This skill is framed as a packing-list helper but can install a global travel CLI, force booking-linked travel-search results, and persist raw user queries locally.

Install only if you specifically want a FlyAI/Fliggy-backed travel search and booking-link workflow, not a standalone packing-list helper. Require approval before any npm install or CLI execution, avoid entering passport, payment, booking-reference, or highly sensitive itinerary details, and disable or delete `.flyai-execution-log.json` if you do not want local query history retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is marketed as a packing-list generator, but its required workflow is centered on Fliggy/flyai travel-product search and mandates booking links in all results. This mismatch can mislead users and host agents into activating a commerce/search workflow under a benign planning pretext, increasing the risk of undisclosed affiliate behavior, unnecessary external queries, and user confusion about what data is being sent and why.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documented behavior promises customized packing guidance, but the implementation forces booking-oriented outputs with `[Book](detailUrl)` links, which is inconsistent with the stated user task. In context, this makes the skill more dangerous because users asking a harmless travel-prep question may be routed into product promotion or link generation without clear consent or need.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The template instructs the agent to present priced booking links and 'real-time pricing' content, which expands behavior beyond a simple packing-list skill into transactional travel assistance. This can mislead users about the skill's scope and cause the agent to generate booking-oriented outputs or links without clear authorization, increasing the risk of deceptive behavior or unsafe action routing.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The file is labeled as a packing-list template, but its primary output format is a commercial booking-results table with prices and booking URLs. This mismatch creates an instruction/scope inconsistency that can steer the agent away from its stated function, making it easier to induce unauthorized commerce-related responses and reducing user transparency about what the skill actually does.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to run `npm i -g @fly-ai/flyai-cli`, which modifies the host environment by globally installing software, without explicit user consent or safety disclosure. This is dangerous because it expands the attack surface, introduces supply-chain risk, and violates least-privilege expectations for a simple informational skill.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow requires use of an external CLI and forbids answering from local knowledge, but it provides no disclosure that user travel queries will be transmitted to a third-party service. In this context, travel plans can include sensitive itinerary, destination, and timing information, so silent network transmission creates privacy and compliance concerns.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The runbook explicitly records the raw user query in an internal execution log, which can capture personal, financial, passport, visa, itinerary, and other sensitive travel data. Because the skill also supports booking-related workflows, retaining unredacted input materially increases privacy and compliance risk if logs are accessed, retained too long, or reused beyond operational need.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The runbook instructs persistent filesystem logging of the execution record, which may include raw user queries and operational metadata, without any notice, minimization, encryption, or retention limits. In a travel skill that may handle booking and identity-related information, writing such logs to disk increases the likelihood of sensitive data exposure through local compromise, backups, shared environments, or improper log handling.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal