tuniu-cli Security Report — Low Risk | ClawSafe

25 /100

tuniu-cli

途牛旅行统一助手 — 通过 tuniu CLI 统一调用机票、酒店、门票、火车票、邮轮、度假产品等旅行服务

Single-file travel booking wrapper skill with no scripts; all capabilities are declared and consistent with its purpose, but the trustworthiness hinges entirely on the uninspectable tuniu-cli npm package.

Skill Nametuniu-cli

Duration35.6s

Enginepi

✓

Safe to install

Before production use, verify the tuniu-cli npm package integrity (hash, publisher identity, recent audit) and consider pinning it to an exact version. Since all code executes inside the tuniu-cli binary rather than within the skill itself, review the CLI's provenance carefully.

Findings 3 items

Severity	Finding	Location
Medium	No inspectable source code The skill consists of only SKILL.md. All business logic, API calls, credential handling, and data exfiltration happen inside the tuniu-cli npm binary, which cannot be audited here. This creates a significant blind spot. `name: tuniu-cli, description: 途牛旅行统一助手...` → Verify the tuniu-cli npm package: check publisher identity, download count, recent activity, and ideally pin to a specific version. Consider hosting a pinned copy internally.	`SKILL.md:1`
Medium	PII transmitted to external service Passport numbers, ID numbers, names, and phone numbers are sent to openapi.tuniu.cn via the CLI. While declared in SKILL.md, the CLI implementation cannot be audited for secondary exfiltration. `预订功能会将用户提供的个人信息（联系人姓名、手机号、乘客姓名、证件号等）通过 tuniu CLI 发送至途牛远端服务` → Ensure the tuniu-cli package is from the legitimate Tuniu publisher. Consider adding a disclaimer that PII leaves the local environment.	`SKILL.md:1`
Low	npm install without version pinning in user docs The skill documentation suggests 'npm install -g tuniu-cli@latest', which pulls the latest version at install time rather than a verified pinned version. `npm install -g tuniu-cli@latest` → Pin to a specific version hash: npm install -g [email protected] --sha512=<hash>	`SKILL.md:19`

Resource	Declared	Inferred	Status	Evidence
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md: '本 skill 通过 shell exec 执行 tuniu CLI 命令'
Network	`READ`	`READ`	✓ Aligned	SKILL.md: all tuniu call targets resolve to https://openapi.tuniu.cn/* endpoints
Environment	`READ`	`READ`	✓ Aligned	SKILL.md metadata: TUNIU_API_KEY env var required
Filesystem	`NONE`	`NONE`	—	No file read/write operations described in SKILL.md
Clipboard	`NONE`	`NONE`	—	No clipboard access described
Browser	`NONE`	`NONE`	—	No browser interaction described

4 findings

🔗

Medium External URL 外部 URL

https://open.tuniu.com/mcp

SKILL.md:32

🔗

Medium External URL 外部 URL

https://openapi.tuniu.cn/tour/mcp/discovery

SKILL.md:169

🔗

Medium External URL 外部 URL

https://openapi.tuniu.cn/mcp/hotel

SKILL.md:182

🔗

Medium External URL 外部 URL

https://openapi.tuniu.cn/mcp/ticket

SKILL.md:183

File Tree

1 files · 21.9 KB · 580 lines

Markdown 1f · 580L

└─ 📝 SKILL.md Markdown 580L · 21.9 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`tuniu-cli`	`latest`	npm	No	Version unpinned; source is a third-party npm package with no code in this repo — trustworthiness cannot be verified without npm audit.

Security Positives

✓ No shell scripts or Python/JS code in the skill repository — attack surface is limited to the declared tuniu CLI invocation pattern.

✓ All capabilities (shell:WRITE, network:READ, environment:READ) are clearly declared and match actual usage.

✓ No sensitive path access (~/.ssh, ~/.aws, .env files) observed.

✓ No base64, eval, curl|bash, or direct IP network requests found in the skill definition.

✓ PII handling is documented and the external data flow is described transparently.

✓ Error handling with exit codes is well-documented, suggesting a mature CLI wrapper.

Scan Report

Findings 3 items

File Tree

Dependencies 1 items

Security Positives