Security audit

Eyun Freight

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Eyun freight-rate connector, with privacy and enterprise-account scoping considerations but no hidden installer, persistence, or destructive behavior.

Install only if EYUN_BASE_URL points to a trusted Eyun service and EYUN_COMPANY_ID is the correct authorized enterprise. Avoid sending secrets or unnecessary personal, customer, or shipment details, and consider separate test and production configuration.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README explicitly states that once EYUN_COMPANY_ID is set, all requests will be made under that enterprise identity, but it does not warn operators about the account-scope and authorization consequences. In an agent-integrated skill, this can cause unintended access, cross-tenant actions, or misuse of a production enterprise account if the wrong ID is configured or if users assume requests are user-scoped rather than enterprise-scoped.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill explicitly forwards the user's raw query to a remote Eyun endpoint, but the instructions contain no user-facing disclosure or consent step about external transmission. This creates a real privacy and data-handling risk because users may include sensitive commercial, personal, or shipment information without realizing it will be sent to a third-party service.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal