Back to skill

Security audit

cruise-product-info

Security checks across malware telemetry and agentic risk

Overview

This is a small remote MCP skill for cruise product lookup, with disclosed gateway routing and no local code or persistence.

Install only if you are comfortable sending cruise product lookup requests to the listed CruiseSkillBridge/olavacations remote MCP endpoint. Avoid including secrets, account credentials, or unrelated personal data in requests unless the publisher provides clear privacy and retention terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly instructs users to send POST requests and states that requests will be routed through a gateway and counted in console statistics, but it does not warn that request contents may be transmitted to and logged by an intermediary service. This creates a privacy and data-governance risk because users may submit sensitive business or personal data under the assumption they are communicating only with the target skill endpoint.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.