Back to skill

Security audit

HANHANLI

Security checks across malware telemetry and agentic risk

Overview

This skill should go to Review because it can remember and share sensitive travel and family behavior beyond a simple hotel search, though no malware or destructive code was found.

Install only if you are comfortable with a hotel assistant that may remember travel behavior across sessions and support family-shared preferences. Keep history learning and family sharing off unless clearly needed, avoid entering payment details, contacts, health needs, or private travel plans, and require clear controls for opt-in, review, deletion, and sharing before using it with real bookings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (12)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill proposes collecting and using implicit identity signals such as behavior, device/environment, and time patterns, which goes beyond the stated hotel-comparison purpose and creates unnecessary profiling risk. In this context, the extra data collection increases the chance of misidentification, covert tracking, and privacy overreach across multiple household users.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The design expands from hotel comparison into family account management, relationship tracking, and long-term household profiling, which materially broadens the data surface without clear necessity. That scope creep increases exposure of sensitive interpersonal and preference data and makes cross-user access mistakes more likely.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The proposed integrations with calendars, contacts, and social sharing are unrelated to core hotel-price comparison and would grant access to sensitive external data sources. In a consumer travel context, such integrations can expose private schedules, address books, and social graphs far beyond what is needed to compare hotels.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The script presents itself as performing hotel search and cross-platform comparison, but it only emits hard-coded mock data. In a user-facing agent skill, this is dangerous because downstream users or systems may rely on fabricated pricing and recommendation output as if it were real, leading to deceptive decisions and loss of trust.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The file's behavior does not match the skill's advertised capability: it writes predetermined markdown content rather than performing hotel search, price comparison, package analysis, or personalization. This mismatch can mislead operators into believing the skill has real booking intelligence, creating integrity and trust risks, especially if used in demos, automation, or customer workflows.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This design goes beyond short-lived hotel search assistance and creates persistent per-user behavioral profiles, preference weights, success histories, and learning metrics over time. Even without direct payment data, longitudinal profiling can reveal sensitive lifestyle patterns, travel habits, family status, and risk preferences, and it increases privacy harm if data is misused, breached, or repurposed.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The document claims personal identity information is not collected, but the examples still use stable user identifiers and maintain exportable, longitudinal histories tied to a single user. Stable identifiers make re-identification and cross-session tracking possible, so the privacy assurances are misleading and weaken user consent and risk understanding.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger condition is defined broadly enough that ordinary hotel-related requests could activate the skill unintentionally, causing the agent to invoke this capability when the user did not explicitly ask for multi-platform comparison. In a skill that performs personalized recommendation and may use historical behavior, accidental activation increases the chance of unnecessary data processing and confusing or overreaching responses.

Missing User Warnings

High
Confidence
95% confidence
Finding
The README explicitly describes recording, analyzing, and continuously learning from user search, filtering, and selection history, but provides no notice about consent, retention, minimization, or how personal data is used. Because this skill profiles users and infers preferences, the lack of privacy safeguards makes unauthorized collection and long-term behavioral tracking a significant privacy and compliance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document describes implicit user identification based on behavior, device/environment, and time patterns without a clear upfront notice or meaningful consent flow. Hidden monitoring of this kind is dangerous because users may not realize they are being profiled or that their identity is being inferred, especially in shared-family settings.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The family synchronization design shares preferences and potentially history across users without ensuring an upfront warning that data may become visible to other family members. In a multi-user household context, this creates a real risk of privacy leakage, mistaken sharing, and disclosure of sensitive habits or travel patterns to unintended people.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill begins by describing collection of detailed search behavior, decision reasoning, and selection history without an upfront privacy notice or consent step. In context, this is more dangerous because a hotel comparison skill does not inherently require silent longitudinal surveillance, so users may reasonably expect ephemeral assistance rather than behavioral tracking.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.