Security audit

Crypto Traveler - Book Hotels and Flights with Bitcoin

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a coherent travel-booking integration, but users should know it can access account details and past bookings through the linked travel account.

Install only if you are comfortable linking the travel account and allowing the skill to retrieve account details and booking history when needed. Ask the agent to use account or history endpoints only for explicit tasks such as showing an existing booking, and avoid sharing unnecessary itinerary, identity, or payment-related details.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill advertises booking flights, hotels, and eSIMs, but it also documents endpoints for retrieving user account details and booking history. That creates a scope mismatch: an agent granted this skill could access more personal data than a user would reasonably expect from the manifest description, increasing privacy and over-privilege risk.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The USER_ACCESS section states that the token enables access to selected booking and account data, but this broader data access is not clearly tied to the minimal needs of booking travel. In an agent setting, ambiguous capability descriptions can lead to unnecessary collection or exposure of sensitive personal and travel-history information.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explains that USER_ACCESS can expose user-specific account and booking data, but it does not require a user-facing notice or explicit consent before such retrieval. That omission can cause agents to access personal data silently, which is dangerous in privacy-sensitive travel contexts where booking history and account details may reveal identities, locations, and patterns of movement.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The account endpoints section lists direct access to account details and historical bookings but lacks an explicit warning that these calls return sensitive personal data. In practice, this makes it easier for an agent implementer to treat them as routine API calls rather than high-sensitivity operations requiring special handling and consent.

Ssd 3

Medium

Confidence: 86% confidence
Finding: The skill includes operational guidance for using USER_ACCESS to access user-linked data beyond the minimum needed to execute a new travel booking. That broadens the agent's reachable data surface and can facilitate unnecessary collection of account details and prior booking information.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The account endpoints are presented as normal supported operations, effectively encouraging agents to fetch booking history and account records. In a travel skill, those records can contain highly sensitive personal, itinerary, and identifying information, so normalizing access without stronger safeguards is risky.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal