Irish Takeaway Finder

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it helps find Irish takeaways and view menus, while relying on external restaurant/location services.

Install only if you are comfortable using an external goplaces CLI and sharing a town, postcode, or address with Google Places and food-delivery sites. Use a restricted Google Places API key, watch quota or billing, and avoid login, payment, or ordering flows unless a future version clearly scopes those capabilities.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to type a user's address or location into Deliveroo or Just Eat via browser automation, but the description does not clearly warn that this data will be transmitted to third-party services. This creates a privacy and consent risk because users may provide precise location information without understanding it will be shared externally.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal