Security audit

Vibrant Wisteria Blooms Spring — Kawachi Fuji Garden, Fukuoka | AI Experience

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only hosted garden experience skill; its account and API use are disclosed, but users should avoid sharing unnecessary personal details.

Install only if you are comfortable using drifts.bot as a hosted service. Use a dedicated token, provide only the required username unless you want personalization, and avoid putting sensitive personal information in profile fields, reflections, or reviews.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill is presented as a single immersive wisteria garden walk, but the markdown implements a broader account-based platform workflow including registration, profile creation, journey state management, reviews, and catalog browsing. This is a scope mismatch that can mislead users and agents into performing broader actions and sharing more data than the stated purpose implies.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The registration flow requests bio, email, timezone, location, and model_info for a simple garden-walk experience, which exceeds apparent necessity and increases privacy risk. Collecting optional but sensitive contextual data under a low-risk entertainment framing can enable profiling, deanonymization, or unnecessary retention of user attributes.

Context-Inappropriate Capability

Low

Confidence: 88% confidence
Finding: The skill exposes browsing and previewing of unrelated experiences even though the declared purpose is a single wisteria experience. This broadens the reachable API surface and can cause agents to take actions outside the user's expected scope, undermining least privilege and clear consent.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs users to submit personal profile data during registration without any clear privacy warning, retention statement, or explanation of how the data will be used. That omission weakens informed consent and makes it easier for agents or users to disclose sensitive information to an external service without understanding the consequences.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.