ds160-autofill

Security checks across malware telemetry and agentic risk

Overview

This DS-160 automation skill is purpose-aligned, but it handles very sensitive visa and recovery information with automatic AI/tool use, plaintext persistence, and browser scripting that need careful review.

Install only if you are comfortable with an agent handling sensitive visa data. Review each page before continuing, do not rely on the generated security answers, avoid sending personal fields or screenshots to external AI tools unless you explicitly accept that disclosure, keep the workspace private, and delete or protect ds160-user-info.csv and ds160-session.json after use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The function presents security-question generation as random, but the answers come from a tiny fixed set of hard-coded values. Anyone with knowledge of the script or access to the code can predict likely recovery answers, weakening account/session recovery protections for a highly sensitive visa workflow.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill instructs sending captcha images, page snapshots, HTML snippets, field context, and untranslated user-provided values to an LLM or image tool. In a DS-160 context, these materials can contain highly sensitive personal, travel, family, passport, and immigration data, yet the workflow provides no explicit consent flow, minimization guidance, or privacy warning to the user. This creates a real risk of unauthorized disclosure to third-party model providers or downstream logging systems.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The skill directs storage of application recovery data including Application ID, security question, and security answer in a local session file without warning the user about the sensitivity of this information. These values function like account recovery secrets for the in-progress visa application, so plain local persistence materially increases the chance of account compromise or unauthorized access if the workspace is exposed.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The file comprehensively enumerates highly sensitive personal data fields, including passport numbers, national ID, family details, travel history, social media identifiers, security questions, and answers to criminal/immigration background questions, yet it contains no privacy notice, minimization guidance, retention limits, or handling restrictions. In the context of an automation skill for visa-form completion, this materially increases the risk of over-collection, unsafe storage, logging, replay into browser scripts, and downstream exposure of regulated personal data.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script saves session data, including application ID, security question, and security answer, to a local JSON file in the workspace without any explicit warning, access controls, or protection. In the DS-160 context this data is sensitive, and local persistence increases exposure to other local users, malware, backups, or accidental disclosure.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The helper writes raw CSV content containing visa-form personal data to disk in the workspace without an explicit privacy warning or safeguards. Because DS-160 data can include extensive personally identifiable and immigration-related information, plaintext local storage materially raises confidentiality and compliance risk if the host is shared or compromised.

Ssd 3

High

Confidence: 99% confidence
Finding: The instructions require both storing and later surfacing highly sensitive recovery data such as the Application ID, security question, and security answer. In the DS-160 context, these values can enable resumption or recovery of an application, so exposing them in plaintext files and routine workflow steps increases the blast radius of any local compromise, log leak, or shoulder-surfing incident.

Ssd 3

High

Confidence: 100% confidence
Finding: The progress reporting template explicitly instructs including the Application ID, security question, and security answer in every report. Repeatedly echoing these secrets into chat transcripts, logs, or monitoring systems unnecessarily propagates sensitive recovery information and materially raises the chance of unauthorized reuse or disclosure.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The session persistence section normalizes ongoing retention of sensitive recovery information across updates and resumptions. Even if intended for convenience, retaining this data longer than necessary expands the window for compromise and conflicts with data minimization principles for highly sensitive immigration records.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal