Security audit

Travel Skill Transfer Planner

Security checks across malware telemetry and agentic risk

Overview

This is a simple travel learning planner that only turns the user's request into descriptive JSON guidance and does not access accounts, files, networks, or credentials.

Install this as an informational planning aid, not as a source of live travel availability or professional advice. Be aware it may activate for some broad travel or personal-growth prompts, so verify any destination, provider, safety, visa, or booking information with official sources before acting.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger phrases are overly broad and include generic travel- and growth-related language, which can cause accidental invocation outside the intended scope. In an agent environment, ambiguous activation increases the chance that this skill intercepts unrelated user requests, producing irrelevant guidance or overriding a more appropriate skill.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The example prompts contain very generic wording like 'help me' and 'provide framework,' which weakens invocation boundaries and can lead to overmatching with ordinary travel-planning requests. This can degrade routing safety by causing the skill to activate when user intent does not specifically concern travel-based skill transfer.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.