Back to skill

Security audit

Cruise Travel Advice

Security checks across malware telemetry and agentic risk

Overview

This cruise advice MCP skill is sparse and uses an external gateway, but its behavior is disclosed, purpose-aligned, and not supported by evidence of hidden or harmful activity.

Install only if you are comfortable with cruise-related requests being sent to the CruiseSkillBridge/olavacations remote MCP gateway. Avoid including secrets, payment details, account credentials, or unnecessary personal information in requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill is ներկայացted as general cruise travel advice, but it also exposes a product_info tool for retrieving cruise product details. This scope mismatch can mislead users and downstream agents about what data access and actions are actually available, weakening informed consent and increasing the chance of unintended data disclosure or invocation of higher-privilege functionality.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The usage instructions direct requests to an external endpoint and note that published calls are routed through a gateway with statistics collection, but they do not clearly warn users that their inputs leave the local environment and may be logged or monitored. This can cause sensitive prompts, travel data, or identifiers to be transmitted off-platform without meaningful notice.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.