ClawHub

Book Hotels with Hot Spring Baths — Onsen Pools, Private Hot Spring Rooms, Ryokan Stays

Security checks across malware telemetry and agentic risk

Overview

This travel-booking skill appears legitimate, but it asks agents to install a global third-party CLI and persist raw travel queries locally without clear user consent or retention controls.

Install only if you are comfortable with flyai receiving your travel-search details and with a global npm package being installed. Before using it, consider installing and reviewing @fly-ai/flyai-cli yourself, and delete or disable .flyai-execution-log.json because it may contain raw personal trip details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The fallback instructs installation and execution of a global CLI on the user's system without any safety disclosure, provenance verification, or alternative path. In an agent context, telling a user to install and run software expands trust boundaries and can lead to unwanted code execution, environment changes, or supply-chain risk if the package is tampered with or spoofed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The runbook explicitly records `user_query` as raw input and appends the execution log to a local file, creating persistent storage of potentially sensitive travel data without any stated minimization, consent, retention limit, or redaction. In this skill context, users may submit names, locations, dates, visa details, insurance needs, or other personal travel information, so retaining raw queries increases privacy exposure and downstream breach impact.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal