Back to skill

Security audit

PriceWin Hotel Deal Finder

Security checks across malware telemetry and agentic risk

Overview

This skill appears to perform the hotel-price comparison it advertises, using disclosed browser automation and travel-service network calls without evidence of theft or destructive behavior.

Install only if you are comfortable with a skill that launches a local browser automation daemon, contacts hotel/travel providers, downloads a browser dependency, and caches selectors/session state under your home cache directory. Avoid using it for sensitive travel plans unless you are comfortable sharing the search details with those providers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares no permissions while its documented behavior clearly requires environment-variable access and outbound network communication. This undermines transparency and informed consent, making it easier for a host agent or user to invoke a networked, data-fetching workflow without understanding its true capabilities.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill presents itself as a narrow hotel-price comparison tool, but the analysis indicates it also exposes general-purpose browser automation, a persistent localhost browser-control daemon, selector/cache management, and arbitrary site interaction features. That mismatch materially increases risk because a user or orchestrator may trust and auto-invoke it for benign travel tasks while it actually contains reusable automation primitives that could be repurposed for broader scraping, session abuse, or local attack-surface expansion.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The package description claims the skill provides generic agent-driven browser primitives and free-form DOM reasoning, which is broader than the stated hotel-price-comparison purpose. In an agent-skill ecosystem, this kind of scope mismatch can mask a more powerful browsing capability than users or reviewers expect, increasing the risk of unintended web interaction or abuse.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Advertising action-by-action browser control with no pre-coded selectors indicates a highly general browser automation capability rather than a constrained hotel-search workflow. In this skill context, that broad autonomy makes the package more dangerous because it could navigate arbitrary sites, interact with unexpected content, or be repurposed beyond hotel deal finding.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The code sends user-supplied hotel search details (city, check-in/check-out dates, adults) to an external OpenTravel API endpoint via `fetch`, and this file does not provide any notice, consent, or local-only alternative. While the data is not highly sensitive by itself, travel itinerary details can still be personal data and may be unexpected to users if they believe the tool only compares OTA websites directly.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The snapshot function serializes broad portions of visible page content and multiple element attributes such as aria-label, placeholder, name, href, id, and data-* markers into text returned to the agent. On hotel booking and travel sites, those fields can contain sensitive user-entered or session-linked information such as destination queries, traveler details, loyalty/account identifiers, booking links with tokens, or other page-visible personal data, and there is no minimization, consent, or redaction step before exposing it to the LLM layer.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"postinstall": "echo 'Run install.sh next to download Chromium' >&2"
  },
  "dependencies": {
    "patchright": "^1.55.2"
  },
  "engines": {
    "node": ">=20"
Confidence
81% confidence
Finding
"patchright": "^1.55.2"

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.