Back to skill

Security audit

dream-journey(寻梦之旅)

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent as a dream-based travel planner, but it needs Review because it combines booking/photo-analysis flows with risky install guidance and unsafe generated HTML handling.

Install only if you are comfortable using FlyAI/Fliggy for travel searches, possible account authorization, and photo-related analysis. Avoid running the sudo curl-to-bash install command unless you independently verify it, use local/trusted photos where possible, do not put sensitive personal details into generated reports, and require an itemized final confirmation before any booking or payment step.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The README makes a concrete security/privacy claim that auxiliary scripts only read local JSON and do not collect personal information, but elsewhere documents interfaces that accept raw dream text and image paths/URLs. Even if no exfiltration occurs, this is a misleading assurance that can cause users to disclose sensitive personal or location-related data under false assumptions about the data surface.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The safety section claims local scripts will not access the network, but the HTML workflow explicitly supports remote image URLs. When the generated HTML is opened, the browser will fetch those external resources, which can leak user IP address, user-agent, access time, and possibly sensitive referrer/path information to third parties, contradicting the stated privacy model.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The generated HTML interpolates raw user-controlled values such as description, cnPrompt, enPrompt, and extracted elements directly into the page without HTML escaping. If an attacker supplies markup like <script> or event-handler payloads in the dream description, opening the generated preview can trigger stored/local XSS in the browser, which may execute arbitrary JavaScript in the local file context.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger phrases are broad natural-language requests like '启动寻梦之旅!' and '我反复梦到一个地方,帮我找到它!', which can plausibly appear in ordinary conversation. In agent environments, vague activation boundaries increase the chance of accidental invocation, causing unintended collection of sensitive dream/travel details or execution of planning behavior without the user's clear intent to run this specific skill.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The additional suggested phrases, especially variants like '帮我寻梦', are highly generic and expand the accidental-invocation surface. Given this skill's travel-planning and photo-analysis context, unintended activation could expose personal preferences, travel dates, departure city, budget, or uploaded imagery to downstream processing when the user may have intended only casual conversation.

Chaining Abuse

High
Category
Tool Misuse
Content
```bash
# 使用 NodeSource 仓库
curl -fsSL https://deb.nodesource.com/setup_18.x | sudo -E bash -
sudo apt-get install -y nodejs

# 验证安装
Confidence
91% confidence
Finding
| sudo

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.