Is travel-agent safe?
https://clawhub.ai/skill/travel-agent
This is a legitimate travel booking skill by BonBook that operates via email and web form interactions. It contains no executable code, no hidden instructions, and no attempts to access sensitive files. The primary risks are inherent to its function: it directs the agent to send user travel data to a third-party commercial service and to complete web forms with PII, creating data exposure that depends on BonBook's trustworthiness. Strong safety metadata (disable-model-invocation, require-explicit) mitigates autonomous misuse.
Category Scores
Findings (10)
MEDIUM Agent directed to send emails to external service -10 ▶
The skill instructs the agent to compose and send emails to [email protected] on behalf of the user. While this is the core functionality and human approval is emphasized, the skill effectively programs the agent to communicate with an external party, creating a data flow outside the user's direct control.
MEDIUM Agent instructed to complete web forms with PII -8 ▶
During one-time setup, the skill instructs the agent to fill out profile forms on bonbook.co with the user's legal name, date of birth, phone number, and email. While human approval is required, this is a significant behavioral directive that could lead to PII disclosure if the user approves without careful review.
LOW Commercial promo code embedded in agent instructions -4 ▶
The skill embeds a promotional code (WELCOME30) in the setup instructions, making the agent an implicit sales channel for BonBook's subscription service ($1/day after trial). This is commercial manipulation through agent instructions, though it is disclosed.
MEDIUM Travel intent and PII sent to third-party service -15 ▶
By design, the skill causes user data (travel plans, name, DOB, contact info) to be transmitted to BonBook's servers via email and web forms. This is the skill's intended function but represents real data leaving the user's environment to a commercial third party.
LOW Broad inbox access implied by email prerequisite -10 ▶
The skill requires the agent to have email send/receive permissions. While the skill claims to only read emails from [email protected], the prerequisite grants broader inbox access that the skill acknowledges but cannot technically restrict.
INFO Single HTTPS connection during installation -5 ▶
One outbound HTTPS connection to 216.150.1.1:443 was observed during skill installation, consistent with downloading the skill package from the ClawHub registry. No additional or unexpected connections were detected.
INFO Standard system background network activity -10 ▶
mDNS multicast, DNS resolution via systemd-resolved, and CUPS printing service connections are all normal Linux desktop background activity unrelated to the skill.
MEDIUM Third-party trust dependency -15 ▶
The skill's safety claims rely heavily on BonBook's assertions about their email content controls and data handling practices. Users must trust that BonBook will not change their email format to include sensitive PII, will maintain PCI-DSS compliance, and will honor their privacy commitments. These claims cannot be verified from the skill alone.
LOW Subscription lock-in via agent-mediated signup -7 ▶
The skill instructs the agent to sign the user up for a paid subscription ($1/day after trial). While human approval is required for payment, the agent-mediated signup flow could lead to unintended subscriptions if the user doesn't carefully review each step.
INFO Strong safety metadata flags -5 ▶
The skill uses disable-model-invocation: true and require-explicit: true, preventing autonomous activation and requiring human approval for each action. This is best-practice safety posture for a skill with financial implications.