ClawHub

Visa Check

Security checks across malware telemetry and agentic risk

Overview

This visa skill is not clearly malicious, but it needs review because it can install and run an unpinned global travel CLI, steer answers through booking links, and persist raw user queries locally.

Install only if you are comfortable approving a global npm CLI install and provider-specific booking results. Do not enter passport numbers or highly sensitive travel details unless necessary, verify visa requirements with official government or consular sources, and remove .flyai-execution-log.json if local query logs are created.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is presented as a visa-checking tool, but its instructions force the agent to produce booking links and rely on a commerce-oriented CLI. That mismatch can cause unintended activation for broader travel tasks, mislead users about the skill's true scope, and steer outputs toward affiliate or booking behavior unrelated to the declared purpose.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The file says not to activate for travel planning, yet the manifest advertises itinerary planning and multiple booking capabilities. This inconsistency increases the chance that an agent will invoke the skill outside its intended boundary, exposing users to irrelevant tool use, over-collection of travel details, and commercially biased responses.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The manifest description is overly broad and includes generic travel tasks such as booking and itinerary planning, far beyond visa lookup. Overbroad scope is dangerous because it increases accidental triggering and gives the skill authority to handle unrelated actions, which can lead to unauthorized tool use or user confusion about what data and actions are actually necessary.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The transit visa playbook uses the trigger "transit visa" but the command requires a {dest} parameter, creating an underspecified workflow. This can cause the agent to run searches with missing, inferred, or stale destination values, leading to inaccurate visa guidance in a safety-sensitive travel context where users may rely on the result for border compliance.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
All playbooks hard-code Chinese-language search terms without documenting why that source selection is appropriate for all users and destinations. In a global visa-checking skill, this can systematically bias retrieval toward Chinese-language travel content, increasing the risk of incomplete, outdated, or jurisdiction-mismatched immigration advice.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The runbook explicitly records `user_query` as raw input in an internal execution log and also instructs appending the generated log to a local file when filesystem access is available. That creates unnecessary retention of potentially sensitive travel data, identity details, or booking-related information without any indication of minimization, masking, consent, retention control, or user notice.

Ssd 3

Medium
Confidence
98% confidence
Finding
The runbook instructs the agent to retain and potentially persist raw user input in an internal execution log, which can capture passport, itinerary, visa, employer, or other sensitive travel information commonly submitted to this skill. Because the skill handles visa and booking workflows, the likelihood of collecting sensitive personal data is higher than for a generic skill, increasing privacy and compliance risk if logs are accessed, leaked, or reused.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal