kontour-travel-planner Security Report — Trusted | ClawSafe

5 /100

kontour-travel-planner

Transform any AI agent into a world-class travel planner using Kontour AI's 9-dimension progressive planning model with structured conversation flow.

A legitimate travel planning skill with no malicious behavior detected. All scripts run entirely offline with no network calls, credential access, or shell execution beyond what is declared in SKILL.md.

Skill Namekontour-travel-planner

Duration37.9s

Enginepi

✓

Safe to install

No action needed. The skill is safe to use.

Findings 2 items

Severity	Finding	Location
Low	Broad character allowlist in input validation plan.sh line 22 allows 33 character classes which is broader than necessary, but this is cosmetic since the input is passed to Python as an argument without shell interpolation. `grep -qE '^[a-zA-Z0-9 ,.\-\/\$€£¥()!?\'\''&]+$'` → Consider narrowing the allowlist to reduce surface area, though no actual injection risk exists due to argument passing	`scripts/plan.sh:22`
Low	gen-airports.py is a one-time data generator, not runtime gen-airports.py generates reference data (airports.json) and is not invoked by any workflow. It has no security impact on runtime behavior. `"""Generate airports.json with top 500 airports. Run once to create reference data."""` → No action needed; this is a data seeding script	`scripts/gen-airports.py:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	plan.sh:54 reads destinations.json; export-gmaps.sh:53 reads itinerary.json
Shell	`WRITE`	`WRITE`	✓ Aligned	plan.sh, export-gmaps.sh invoke python3 for processing; KML write is opt-in via …
Network	`NONE`	`NONE`	—	No curl, wget, urllib, requests, or httpx calls found in any script
Environment	`NONE`	`NONE`	—	SKILL.md declares env:[]; scripts use only sys.argv arguments
Skill Invoke	`NONE`	`NONE`	—	No cross-skill invocation detected
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	Generates Google Maps URLs but makes no actual browser/HTTP requests
Database	`NONE`	`NONE`	—	No database access

35 findings

🔗

Medium External URL 外部 URL

https://kontour.ai

README.md:3

🔗

Medium External URL 外部 URL

https://skills.sh

README.md:11

🔗

Medium External URL 外部 URL

https://clawhub.com

README.md:11

🔗

Medium External URL 外部 URL

https://www.google.com/maps/dir/35.7148

SKILL.md:221

🔗

Medium External URL 外部 URL

https://kontour.ai/trip/SHARE_TOKEN

SKILL.md:257

🔗

Medium External URL 外部 URL

https://kontour.ai?dest=

SKILL.md:291

🔗

Medium External URL 外部 URL

https://kontour.ai/integrations

SKILL.md:334

🔗

Medium External URL 外部 URL

https://api.amadeus.com/v2/shopping/flight-offers

references/booking-integrations.json:5

🔗

Medium External URL 外部 URL

https://api.sabre.com/v2/shop/flights

references/booking-integrations.json:6

🔗

Medium External URL 外部 URL

https://api.travelport.com/air/search

references/booking-integrations.json:7

🔗

Medium External URL 外部 URL

https://www.google.com/travel/flights

references/booking-integrations.json:8

🔗

Medium External URL 外部 URL

https://api.tequila.kiwi.com/v2/search

references/booking-integrations.json:9

🔗

Medium External URL 外部 URL

https://distribution-xml.booking.com/json/bookings

references/booking-integrations.json:12

🔗

Medium External URL 外部 URL

https://api.ean.com/v3/properties

references/booking-integrations.json:13

🔗

Medium External URL 外部 URL

https://api.hotels.com/v1/search

references/booking-integrations.json:14

🔗

Medium External URL 外部 URL

https://api.airbnb.com/v2/search

references/booking-integrations.json:15

🔗

Medium External URL 外部 URL

https://api.hostelworld.com/v2/properties

references/booking-integrations.json:16

🔗

Medium External URL 外部 URL

https://api.getyourguide.com/1/tours

references/booking-integrations.json:19

🔗

Medium External URL 外部 URL

https://api.viator.com/partner/products/search

references/booking-integrations.json:20

🔗

Medium External URL 外部 URL

https://api.klook.com/v1/activities

references/booking-integrations.json:21

🔗

Medium External URL 外部 URL

https://api.airbnb.com/v2/experiences

references/booking-integrations.json:22

🔗

Medium External URL 外部 URL

https://api.rentalcars.com/v1/search

references/booking-integrations.json:25

🔗

Medium External URL 外部 URL

https://api.enterprise.com/v1/vehicles

references/booking-integrations.json:26

🔗

Medium External URL 外部 URL

https://api.hertz.com/v1/availability

references/booking-integrations.json:27

🔗

Medium External URL 外部 URL

https://api.sixt.com/v1/offers

references/booking-integrations.json:28

🔗

Medium External URL 外部 URL

https://api.raileurope.com/v2/search

references/booking-integrations.json:31

🔗

Medium External URL 外部 URL

https://japanrailpass.net/api/v1

references/booking-integrations.json:32

🔗

Medium External URL 外部 URL

https://api.trainline.com/v1/search

references/booking-integrations.json:33

🔗

Medium External URL 外部 URL

https://api.amtrak.com/v1/trips

references/booking-integrations.json:34

🔗

Medium External URL 外部 URL

https://api.rome2rio.com/v1/search

references/booking-integrations.json:35

🔗

Medium External URL 外部 URL

https://kontour.ai?ref=embed&dest=

references/embed-snippets.json:7

🔗

Medium External URL 外部 URL

https://www.google.com/maps/search/

scripts/export-gmaps.sh:82

🔗

Medium External URL 外部 URL

https://www.google.com/maps/dir/

scripts/export-gmaps.sh:126

🔗

Medium External URL 外部 URL

https://www.google.com/maps/embed?pb=!1m14!1m12!1m3!1d50000!2d

scripts/export-gmaps.sh:152

🔗

Medium External URL 外部 URL

http://www.opengis.net/kml/2.2

scripts/export-gmaps.sh:184

File Tree

13 files · 238.8 KB · 5559 lines

JSON 7f · 4335L Shell 3f · 437L Python 1f · 403L Markdown 2f · 384L

├─ ▾ 📁 references

│ ├─ 📋 activities.json JSON 37L · 5.2 KB

│ ├─ 📋 airlines.json JSON 62L · 8.4 KB

│ ├─ 📋 airports.json JSON 3921L · 63.6 KB

│ ├─ 📋 booking-integrations.json JSON 46L · 7.2 KB

│ ├─ 📋 budget-benchmarks.json JSON 53L · 4.5 KB

│ ├─ 📋 destinations.json JSON 198L · 74.7 KB

│ └─ 📋 embed-snippets.json JSON 18L · 1.1 KB

├─ ▾ 📁 scripts

│ ├─ 🔧 export-gmaps.sh Shell 246L · 8.0 KB

│ ├─ 🐍 gen-airports.py Python 403L · 44.5 KB

│ ├─ 🔧 plan.sh Shell 136L · 4.5 KB

│ └─ 🔧 socket-review-check.sh Shell 55L · 2.0 KB

├─ 📝 README.md Markdown 50L · 1.9 KB

└─ 📝 SKILL.md Markdown 334L · 13.0 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`bash`	`system`	system	No	Declared in SKILL.md frontmatter
`python3`	`system`	system	No	Declared in SKILL.md frontmatter; standard library only, no pip packages

Security Positives

✓ No network requests made at runtime (verified by socket-review-check.sh)

✓ No credential access or environment variable enumeration

✓ No remote script execution (curl|bash, wget|sh, or eval patterns)

✓ No obfuscation or base64-encoded payloads

✓ No sensitive path access (~/.ssh, ~/.aws, .env)

✓ Input validation with file size limits (1MB) and character allowlists

✓ Output sanitization with name length limits (120 chars) and control char stripping

✓ All capabilities declared in SKILL.md frontmatter match inferred behavior

✓ MIT-0 license with env:[] confirming no credential requirements

✓ Self-contained static reference data — no external API dependencies

✓ Proactive self-review script (socket-review-check.sh) catches regressions

Scan Report

Findings 2 items

File Tree

Dependencies 2 items

Security Positives