book-hotel
Pass
Audited by Gen Agent Trust Hub on May 5, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface because it ingests untrusted data (package IDs, session IDs, and guest contact details) and interpolates them into shell commands. This could potentially be exploited if a malicious search result or user input provides specially crafted strings.
- Ingestion points: Data entering through the
packageId,sessionId, and guestcontactfields inSKILL.md. - Boundary markers: Data is passed within JSON strings inside single-quoted shell arguments, which provides basic structural containment but lacks explicit instructions for the agent to ignore embedded commands.
- Capability inventory: The skill can execute shell commands via
npxto perform financial transactions and check booking status. - Sanitization: There is no evidence of input validation or sanitization for the external fields before they are used in the command-line interface.
- [EXTERNAL_DOWNLOADS]: The skill downloads and executes code from the npm registry at runtime using
npx. This includes theawalCLI from Coinbase and the@tvl-justin/travel-cli, which is a resource owned by the skill's author. - [COMMAND_EXECUTION]: The skill utilizes shell commands to interact with the blockchain wallet and the hotel booking system. It specifically uses the
awal x402 payandtravel-cli book-statuscommands. - [DATA_EXFILTRATION]: The skill transmits personally identifiable information (PII), such as guest names, email addresses, and phone numbers, to an external API endpoint on AWS App Runner. This is a necessary part of the hotel booking process and is consistent with the skill's description.
Audit Metadata