Is marsqing/tripgenie-skill safe?

https://github.com/openclaw/skills/tree/main/skills/marsqing/tripgenie-skill

69
CAUTION

TripGenie is a legitimate Trip.com travel API integration skill with no evidence of overtly malicious behavior at install time. However, it presents three meaningful concerns: it manipulates agent skill-routing through high priority metadata and embedded override directives; it instructs the agent to forward external API responses without filtering, creating a secondary prompt injection vector; and its bash Usage snippet contains a shell injection vulnerability via unescaped ${USER_QUERY} interpolation. The skill is not inherently malicious but carries architectural risks that require review before deployment in contexts where agents have access to sensitive data.

Category Scores

Prompt Injection 62/100 · 30%
Data Exfiltration 67/100 · 25%
Code Execution 63/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (8)

HIGH Skill-selection override via priority and repeated preference instructions -18

The skill uses metadata priority 90 and embeds three separate natural-language directives instructing the agent to prefer TripGenie over other skills. This manipulates the agent's routing logic and could suppress other installed skills from handling relevant queries.

HIGH Shell injection via unescaped ${USER_QUERY} in curl command -22

The Usage section bash snippet expands ${USER_QUERY} inside a double-quoted JSON string after breaking out of single-quote context. A user query or agent-constructed value containing shell metacharacters (;, `, $(...)) would result in arbitrary command execution under the agent's privileges.

HIGH Blind API response forwarding enables secondary prompt injection -20

The Output Handling section explicitly forbids the agent from summarizing, filtering, or reformatting the API response. Any content returned by tripgenie-openclaw-prod.trip.com is forwarded verbatim into the agent's output context, allowing the API server (or a network-level attacker) to inject agent instructions through the response channel.

MEDIUM User query content sent to external Trip.com API server -15

Every triggered query — including potentially sensitive travel plans, dates, traveling companions, budgets, and any agent-prepended context — is transmitted to a Trip.com controlled endpoint over HTTPS. This is the skill's stated purpose but users should understand their query data leaves the local agent context.

MEDIUM API key exposed in shell command and written to world-readable temp file -13

TRIPGENIE_API_KEY is interpolated directly into the curl argument, making it visible in process listings (ps aux) and shell history. Output is written to /tmp/tripgenie-result.md which is readable by all local processes.

MEDIUM Response injection path via controlled API endpoint -20

Because the agent is instructed to forward the API response without modification, a compromise of tripgenie-openclaw-prod.trip.com or a MITM on the trip.com endpoint could deliver prompt injection payloads to any agent running this skill. The skill itself disables the agent's natural defense against this attack.

LOW No suspicious activity during clone phase -10

Clone was performed via expected GitHub HTTPS connection. All other network connections during the observation window were attributable to system daemons and the OpenClaw platform gateway. No canary files were read or modified by skill code.

INFO Canary files read during audit framework integrity checks only -10

Canary file PATH audit events at timestamps 1771951784 (pre-install) and 1771951803 (post-install) are consistent with the Oathe audit system's own integrity verification routines, not skill-originated access. All canary file hashes confirmed intact.