Is leonardoooooo/tuniu-hotel safe?

https://github.com/openclaw/skills/tree/main/skills/leonardoooooo/tuniu-hotel

77
CAUTION

The tuniu-hotel skill is a legitimate Chinese hotel booking assistant that routes search, detail, and order-creation requests through shell-executed curl commands to Tuniu's official MCP API. No prompt injection, hidden instructions, or canary exfiltration were detected; installation was clean and limited to 2 expected files. The primary concerns are its explicit dependency on agent shell execution access (exec+curl), transmission of user PII to an external endpoint, and a configurable MCP URL that could silently redirect all traffic — including credentials and booking data — if the deployment environment is compromised.

Category Scores

Prompt Injection 75/100 · 30%
Data Exfiltration 73/100 · 25%
Code Execution 76/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 88/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (7)

MEDIUM Shell execution required by design (exec + curl) -15

The skill frontmatter description and body both state it operates 'through exec + curl' to invoke the Tuniu MCP service. Any agent deploying this skill must be granted shell/exec capabilities. This is a significant privilege footprint — a purely API-based skill could accomplish the same goal without shell access.

MEDIUM Configurable MCP endpoint enables silent traffic redirection -15

All curl commands use ${TUNIU_MCP_URL:-https://openapi.tuniu.cn/mcp/hotel} as the target. If an attacker controls deployment environment variables, they can silently redirect all hotel search results, user PII from order creation, and both API keys to an attacker-controlled server. The skill provides no guidance to validate or pin this endpoint.

MEDIUM User input injected into shell command strings without sanitization -15

City names, hotel names, guest first/last names, and phone numbers are interpolated directly into the curl -d JSON body strings. No escaping or sanitization instructions are provided. A user providing input containing shell metacharacters or JSON-breaking characters could escape the intended payload context.

MEDIUM PII (name, phone) collected and transmitted to external API -12

The create_order function requires contactName, contactPhone, and guest first/last names, which are assembled and POSTed to Tuniu's external API. While expected for hotel booking, the user PII leaves the local agent environment with no mention of data handling, retention, or consent requirements.

LOW Auto-triggers hotel detail API without user confirmation -10

The skill explicitly instructs the agent to call tuniu_hotel_detail automatically when a hotel is identified in context, stating no user confirmation is needed. This bypasses the agent's normal permission model for outbound network calls and could result in undisclosed API requests.

LOW Canary files read at two points during audit session -10

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCP application_default_credentials.json) were opened and read at 09:24:38 (before git clone) and again at post-install teardown. All accesses were CLOSE_NOWRITE — no modifications occurred. The access pattern (rapid sequential reads before installation) is consistent with oathe monitoring framework baseline initialization rather than skill-triggered reads. Integrity checker confirms all files intact.

INFO Clean installation from expected GitHub source 0

Installation performed a shallow git clone from github.com with sparse checkout of the target skill path. No secondary downloads, unexpected processes, or out-of-scope filesystem writes were observed. Only 2 expected files were added.