Back to skill

Security audit

Cruise Product Chat Bot

Security checks across malware telemetry and agentic risk

Overview

This cruise search skill is coherent and low-risk, but users should understand that their cruise queries are sent to an external remote service.

Install only if you are comfortable sending cruise search details to the provider's remote gateway. Avoid entering sensitive travel documents, payment details, or account credentials unless the service separately provides clear privacy and booking protections.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation instructs users or integrators to send input to an external HTTP endpoint and notes that calls are routed through a gateway for statistics, but it does not disclose privacy, data handling, or consent considerations. In an agent skill context, this can lead to inadvertent transmission of user prompts or potentially sensitive booking information to third-party infrastructure without adequate warning.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.