Is travel-agent safe?

https://clawhub.ai/aSzelem/travel-agent

62
CAUTION

This skill is a commercial travel booking service (BonBook) that directs the agent to sign users up for a paid subscription, transmit PII via web forms, and send travel itineraries to a third-party email address. While it includes consent mechanisms and transparency documentation, the core operation involves systematic exfiltration of personal data and travel plans to an external service, and embeds a commercial onboarding funnel in the agent's instruction set. No malicious code execution or canary violations were detected.

Category Scores

Prompt Injection 68/100 · 30%
Data Exfiltration 48/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 72/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 35/100 · 5%

Findings (9)

HIGH PII transmission to third-party via web forms -30

The skill's setup flow instructs the agent to collect legal name, DOB, phone number, and email address and submit them to bonbook.co web forms. While the skill claims PCI-DSS compliance and encryption, the agent is transmitting sensitive PII to a third-party commercial service.

HIGH Travel data exfiltration via email channel -22

Every booking, change, and cancellation sends user travel details (origins, destinations, dates, times, preferences) to [email protected]. The agent composes these emails from user-provided information, creating a persistent data exfiltration channel to an external party.

MEDIUM Commercial signup funnel embedded in skill instructions -15

The skill's setup flow directs the agent to navigate to bonbook.co/access, complete a registration form, apply a promo code (WELCOME30), and guide the user through a paid subscription ($1/day). This is behavioral steering toward commercial conversion, not a neutral utility.

MEDIUM Agent directed to interact with external checkout pages -10

The skill instructs the agent to 'click Select' on offer summaries, navigate checkout pages, and facilitate payment — directing the agent to perform financial actions on a third-party website.

MEDIUM Threatening language to suppress agent safety behavior -7

The consent section uses threats of permanent bans to discourage agents from questioning or verifying consent, which could suppress legitimate security guardrails.

MEDIUM Calendar data sharing with third party -10

The optional calendar sync feature instructs the agent to share calendar data with BonBook's backend, allowing a third party to access the user's schedule.

LOW Sensitive file access during installation window -28

During installation, filesystem monitoring detected access to .env, .aws/credentials, and openclaw configuration files. These appear to be platform-initiated rather than skill-initiated, but the timing coincides with skill installation.

LOW Skill leverages pre-existing high-privilege permissions -15

The skill requires the agent to already have email send/receive and optionally web browsing and calendar read permissions. It inherits these high-privilege capabilities without contributing to their security, and uses them to interact with external services.

INFO Skill is well-documented with consent mechanisms 0

The skill includes detailed provenance, explicit consent requirements, disable-model-invocation and require-explicit flags, and clear data handling documentation. These are positive signals, though they do not eliminate the inherent risks of sending PII and travel data to a third party.