Back to skill

Security audit

Travel Planner Mastery

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only travel planning helper with broad trigger wording but no code, hidden access, persistence, or exfiltration behavior.

Safe to install as a travel-planning helper. Avoid entering unnecessary sensitive details such as full passport numbers, payment card numbers, or detailed medical information, and verify visa, health, safety, and booking information from official sources before relying on it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
96% confidence
Finding
The skill description is extremely broad ('Complete travel planning system' and 'Use when planning any trip'), which can match a wide range of ordinary travel-related requests and increase the chance of unintended invocation. Over-broad routing is a genuine security and reliability issue because it can cause this skill to activate when the user did not intend it, potentially pulling the conversation into a different workflow and exposing unnecessary context.

Vague Triggers

Medium
Confidence
98% confidence
Finding
The command trigger 'Review my itinerary' is generic everyday language that could appear naturally in many conversations, causing accidental activation of the skill. This is dangerous in agent-routing contexts because common phrases create ambiguous matches, increasing the likelihood of misfires and inappropriate skill selection.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal