Pricewin Deal Finder

Security checks across malware telemetry and agentic risk

Overview

This skill uses a local browser helper to compare hotel prices on travel sites, and its behavior matches that stated purpose.

Install only if you are comfortable with your hotel search details being sent to Booking, Agoda, Google Hotels, OpenTravel, and an exchange-rate service. Review or override the locale when market, language, currency, taxes, or displayed rates matter.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The skill instructs the agent to immediately run a terminal command that performs browser automation and direct API lookups, but does not provide a clear user-facing warning that travel queries and parameters will be transmitted to multiple third-party services. That can surprise users and expose itinerary details or locale preferences without explicit acknowledgment.

Natural-Language Policy Violations

Medium

Confidence: 82% confidence
Finding: Defaulting locale to `en-us` without user opt-in can silently alter region/language targeting and influence returned prices, availability, currency behavior, and tracking context across OTAs. In a travel-pricing skill, locale is materially relevant, so silently imposing a U.S. locale can mislead users and disclose assumptions about region preferences.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal