Back to skill

Security audit

Cruise Product Comparison

Security checks across malware telemetry and agentic risk

Overview

This skill is a simple remote cruise-product lookup integration, with some incomplete documentation but no evidence of harmful behavior.

Before installing, understand that this appears to send cruise search/filter requests to the disclosed CruiseSkillBridge/Ola Vacations MCP gateway. Do not assume it performs full automated comparison beyond returning filtered product lists, and avoid entering sensitive personal details unless you trust that service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill advertises cruise product comparison, but the documented behavior only shows a generic POST request and a single product listing tool. This mismatch can mislead users or downstream agents into relying on capabilities that do not exist, causing incorrect decisions, unsafe automation assumptions, or inadvertent data submission to an unrelated endpoint.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The stated purpose of comparing cruise products is inconsistent with the only published tool, which merely lists/filter products. This creates a capability-deception risk: agents may invoke the skill expecting comparative analysis and make decisions based on incomplete or fabricated comparisons, especially in autonomous workflows.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.