Back to skill

Security audit

Cruise Finder Tool

Security checks across malware telemetry and agentic risk

Overview

This cruise-search skill is a simple remote API tool; it is disclosed and purpose-aligned, though users should know their search data is sent through an external gateway.

Before installing, assume cruise search inputs may be transmitted to CruiseSkillBridge or the ola vacations gateway and counted in usage statistics. Avoid sending sensitive personal, payment, passport, or account information unless the publisher documents how requests and responses are handled, logged, and retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation instructs users to send POST requests to an external endpoint and explicitly states that requests will be forwarded through a gateway and counted in console statistics, but it does not warn that submitted data may be transmitted, logged, metered, or exposed to third-party infrastructure. In a tool skill, this can lead users or downstream agents to send potentially sensitive prompts or personal travel data without informed consent or data-handling expectations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.