Travel Lobster

Security checks across malware telemetry and agentic risk

Overview

This skill is openly built to browse the web and send illustrated postcards, but it needs review because it can keep rescheduling itself, post to chat, spend API credits, and store/source local config indefinitely.

Install only if you explicitly want a recurring autonomous agent that browses public web pages, calls OpenRouter, uses your configured model provider, and posts to a chat. Before running it, inspect the generated .travel-config, consider fixing shell quoting and file permissions, choose a bounded interval, monitor API costs, and know the stop commands for both openclaw cron and any watchdog crontab entry.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The prompt directs the agent to execute local shell commands and a Python script to create, verify, send, and delete a file. Even if intended for postcard generation, this expands the skill from web exploration into local code execution and filesystem manipulation, increasing the attack surface if variables such as paths or prompts are influenced by untrusted input.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The skill mandates unconditional execution of a follow-up scheduling script, even if prior steps fail, creating persistent autonomous behavior beyond the user's immediate request. This can lead to runaway execution, repeated outbound activity, and loss of human control over when the agent acts.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The activation phrases are broad enough to match ordinary conversation about exploring the internet or sending postcards, which can cause the skill to trigger without clear user intent. In this skill, accidental activation is more dangerous than usual because the skill initiates network activity, writes persistent memory, and can start recurring scheduled runs.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The prompt instructs the agent to send generated text, an image, and a source URL to an external chat target without any consent check or disclosure about outbound transmission. This can expose generated content, browsing choices, metadata, and possibly sensitive contextual details to third-party destinations unexpectedly.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill instructs deletion of a workspace file and later journal edits without warning the user that local files will be modified or removed. In an agent environment, silent state changes can destroy artifacts, hinder auditing, and create opportunities for unintended data loss if paths or variables are mis-scoped.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The prompt requires execution of a scheduling subprocess with no user warning, opt-out, or approval gate. Hidden recurring execution changes the agent from a one-shot assistant into a persistent actor, which materially raises privacy, cost, and abuse risks.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script schedules an external model invocation and passes a prompt assembled from user/chat identifiers and workspace-derived state without any consent gate, disclosure, or approval step. In a skill explicitly designed for autonomous web exploration and self-scheduling, this increases privacy and governance risk because it can repeatedly send user-linked context to a third-party model backend in the background.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script rewrites persistent configuration to disk, including chat ID, channel, workspace, journal path, timezone, and user-related settings, without any warning or permission check. While not an injection bug, this creates a real confidentiality and persistence risk because sensitive metadata is stored locally and may later be read by other processes, backups, or users depending on file permissions.

Session Persistence

Medium

Category: Rogue Agent
Content: openclaw cron rm travel-next # Remove watchdog (if you added it) crontab -l | grep -v watchdog | crontab - # Run exactly one trip with no follow-up scheduling # (edit travel-prompt.md: remove Step 7, then run travel.sh)
Confidence: 94% confidence
Finding: crontab -l

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal