travel-concierge
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Prompt Injection (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8) due to its core functionality.
- Ingestion points: Untrusted web content from URLs (Airbnb, Booking.com, VRBO, Expedia) provided by the user is processed by the
travel-conciergetool (SKILL.md). - Boundary markers: Absent. There are no instructions to delimit or ignore instructions found within the scraped data.
- Capability inventory: The agent executes the
travel-conciergeCLI and is instructed to 'present the dossier to the user', potentially influencing subsequent agent logic based on malicious site content. - Sanitization: Absent. No evidence of content filtering or sanitization before the scraped output is returned to the agent context.
- Command Execution (MEDIUM): The skill relies on a pre-installed or external binary
travel-concierge. The source of this binary is not provided in the skill package, and it executes arbitrary code based on input URLs. - External Downloads (MEDIUM): The
_meta.jsonpoints to an untrusted repository (github.com/clawdbot/skills), which does not meet the Trusted External Sources criteria. Any automatic updates or installations from this source would be unverified. - Credentials Unsafe (LOW): The skill manages a
googlePlacesApiKeythrough theconfig setandconfig showsubcommands. While common for CLIs, an attacker could use prompt injection to trick the agent into runningconfig showand revealing the API key in the chat history.
Recommendations
- AI detected serious security threats
Audit Metadata