Wheels Router

Security checks across malware telemetry and agentic risk

Overview

This is a coherent transit-planning skill that connects to an external routing service as disclosed, with privacy and supply-chain cautions but no evidence of hidden or malicious behavior.

Before installing, be comfortable sharing route searches, coordinates, and travel times with the Wheels Router/Transitous service. For tighter supply-chain control, use a trusted MCP client setup or pin/preinstall any npx helper package where possible.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill directs users to send place queries, coordinates, and trip details to external services (Wheels Router and Transitous) but does not clearly warn that this data leaves the local environment. Location and itinerary data can reveal sensitive personal information such as home, work, routines, or planned travel, so the absence of disclosure creates a meaningful privacy and consent risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal