Back to skill

Security audit

Cruise Products for Beach Vacations

Security checks across malware telemetry and agentic risk

Overview

This is a small MCP skill that routes cruise product queries to a disclosed external gateway, with no local executable code or persistence.

Install only if you are comfortable sending cruise-search inputs to the listed CruiseSkillBridge/olavacations MCP gateway. Avoid submitting sensitive personal or business data unless the publisher provides privacy, logging, and retention details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to send POST requests to an external endpoint and states that published usage will be routed through a gateway and counted in console statistics, but it does not clearly warn that user-supplied data leaves the local environment. This creates a real data-exposure risk because users may submit sensitive prompts or business data without informed consent, and the gateway substitution further obscures the actual destination.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.