台灣即時停車查詢

Security checks across malware telemetry and agentic risk

Overview

This parking lookup skill mostly matches its stated purpose, but it includes an updater that can replace installed skill code from an unpinned GitHub branch.

Review before installing. The parking lookup behavior appears legitimate, but remove or avoid running update.sh unless you fully trust the GitHub repository and accept unreviewed code changes after installation. Use dedicated TDX credentials, expect precise locations or map URLs to be sent to external services, and prefer raw coordinates over untrusted short links.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill documentation indicates capabilities such as environment variable access, network use, file read/write, and shell execution, but it does not declare any permissions. This creates a trust and sandboxing problem: users and the host platform cannot accurately assess or restrict what the skill may do, and the undocumented shell/network capabilities materially increase the attack surface.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The documented purpose is a parking lookup tool, but the implementation reportedly also checks GitHub for updates via a shell script and uses undeclared credentials from environment variables. Hidden self-update behavior is especially risky because it can introduce remote code changes after installation, while undeclared credential and network use undermines informed consent and security review.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: This skill processes precise location data and forwards queries to external mapping and transportation services, but the documentation does not clearly warn users that sharing a pin or Maps URL may disclose sensitive location information. In a location-based skill, lack of transparent privacy disclosure increases the risk of users unknowingly exposing home, work, or travel patterns.

Missing User Warnings

Low

Confidence: 74% confidence
Finding: User-supplied Google Maps short URLs are resolved by making a server-side HEAD request, which discloses the provided URL to external infrastructure and can cause unintended outbound requests. Because the code follows redirects, an attacker could supply a crafted short link or lookalike domain to trigger requests to arbitrary destinations, making this a limited SSRF/privacy issue in skill-hosted environments.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script downloads executable skill code and metadata directly from a remote GitHub repository and overwrites the local installed files without any integrity verification, signature check, pinning to a trusted commit, or user confirmation. If the repository, owner account, network path, or referenced branch is compromised, every system running this updater can be silently supplied with attacker-controlled code on the next update cycle.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal