Security audit

Trip Website Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward static travel website generator with no hidden network access, credential use, or privileged behavior.

Before installing, be aware that generated content defaults to Chinese unless you ask otherwise. Review generated pages before publishing, especially any user-provided itinerary text or inserted SVG/HTML content, and avoid putting private trip details or secrets into a public website.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Natural-Language Policy Violations

Medium

Confidence: 96% confidence
Finding: The skill hard-codes a language preference ('Always use Chinese for content unless user specifies otherwise'), which can override user expectations and reduce transparency in multilingual contexts. While not directly enabling code execution or data exfiltration, it can cause unauthorized content transformation and weaken user control over outputs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal