Back to skill

Security audit

Travel Planner HY

Security checks across malware telemetry and agentic risk

Overview

This travel skill is not clearly malicious, but it needs review because it can create real bookings with sensitive traveler data and uses unsafe shell-based third-party booking commands.

Install only if you are comfortable giving it travel itinerary details and optional booking identity data. Before using /travel-plan-hy book, confirm the exact train, price, passengers, and that a real order may be created. Avoid entering unusual shell characters in trip fields until the Tuniu command wrapper is fixed to use safe argument passing, and review third-party CLI/API keys and dependency versions before enabling live booking.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill instructs the host/agent to use environment-backed secrets such as `AMAP_API_KEY`, `TUNIU_API_KEY`, and `FLYAI_API_KEY`, but no explicit permissions or capability declaration is documented in the skill file. That creates a transparency and least-privilege problem: a reviewer or runtime may not realize the skill expects secret-bearing environment access and external network calls.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented behavior materially overclaims and conflicts with what static analysis says is actually implemented, including missing Fliggy integration, missing end-to-end booking flow, and only generic QR generation. Security-wise, this is dangerous because users may provide sensitive travel and identity data under the assumption that vetted booking, comparison, and payment logic exists when it may not, reducing informed consent and trust boundaries.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The privacy/compliance section says booking and payment must be completed by the user on third-party platforms and that the skill does not perform payment, but later workflow text directs direct order submission and payment QR generation. This contradiction can mislead users into disclosing personal and payment-adjacent information under false pretenses, undermining consent and compliance expectations.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The document claims the skill only performs planning and display of reference information, yet later defines a real booking flow with collection of names, ID numbers, phone numbers, order submission, and QR payment support. This is a significant trust and privacy mismatch that can cause users to share highly sensitive PII in a context they were told was informational only.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README advertises one-click booking and payment QR code generation but does not warn users that invoking the skill can create real reservations or transmit booking/payment-related data to external services. In an agentic environment, this omission increases the risk of unintended purchases, privacy exposure, and user surprise because users may treat the skill as informational rather than transactional.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The `/travel-plan-hy book` command is presented like a normal utility command without any indication that it may interact with external booking systems or trigger reservation workflows. This is dangerous because users or downstream agents could execute it assuming it is a preview step, leading to unintended bookings, external API calls, or payment initiation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The template automatically embeds cross-platform price comparison and explicitly references real-time pricing from external APIs, but it does not provide a clear user-facing disclosure that external services are being queried and that trip details may be sent to third parties. In a travel-planning skill that may process destinations, dates, budgets, and booking intent, this creates a transparency and privacy risk and can mislead users about the source and freshness of data.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The skill collects multiple pieces of travel-related personal data, including destination, departure date, departure city, traveler composition such as adults and children, preferences, and dietary restrictions, but the specification includes no privacy notice, consent step, or data-minimization guidance. While this is not an exploit-enabling flaw by itself, it creates unnecessary privacy risk because sensitive itinerary and family-travel details may be processed without clearly informing the user or confirming necessity.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The rule says cross-platform price comparisons are executed automatically during plan generation, which can cause user trip details such as destination, dates, hotel names, and route information to be sent to external services without an explicit user-facing notice or consent step. In a travel-planning skill, those details are sensitive behavioral data, so silent transmission increases privacy and compliance risk even if the feature is product-motivated rather than malicious.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"README.md"
  ],
  "dependencies": {
    "axios": "^1.18.1",
    "dotenv": "^17.4.2",
    "qrcode": "^1.5.4",
    "tuniu-cli": "^1.0.7",
Confidence
92% confidence
Finding
"axios": "^1.18.1"

Unpinned Dependencies

Low
Category
Supply Chain
Content
],
  "dependencies": {
    "axios": "^1.18.1",
    "dotenv": "^17.4.2",
    "qrcode": "^1.5.4",
    "tuniu-cli": "^1.0.7",
    "@fly-ai/flyai-cli": "^1.0.16"
Confidence
92% confidence
Finding
"dotenv": "^17.4.2"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dependencies": {
    "axios": "^1.18.1",
    "dotenv": "^17.4.2",
    "qrcode": "^1.5.4",
    "tuniu-cli": "^1.0.7",
    "@fly-ai/flyai-cli": "^1.0.16"
  }
Confidence
90% confidence
Finding
"qrcode": "^1.5.4"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"axios": "^1.18.1",
    "dotenv": "^17.4.2",
    "qrcode": "^1.5.4",
    "tuniu-cli": "^1.0.7",
    "@fly-ai/flyai-cli": "^1.0.16"
  }
}
Confidence
95% confidence
Finding
"tuniu-cli": "^1.0.7"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dotenv": "^17.4.2",
    "qrcode": "^1.5.4",
    "tuniu-cli": "^1.0.7",
    "@fly-ai/flyai-cli": "^1.0.16"
  }
}
Confidence
94% confidence
Finding
"@fly-ai/flyai-cli": "^1.0.16"

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/generate-trip-page.js:364

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/tuniu-api.js:30

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/amap-api.js:30