Security audit

Travel Slow Experience Architect

Security checks across malware telemetry and agentic risk

Overview

This is a low-risk travel-planning skill that only formats user-provided trip details into descriptive slow-travel recommendations.

Safe to install for slow-travel planning. Users should still verify destinations, prices, safety advisories, and cultural details with current official sources because the skill does not use live data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger conditions are broad and ambiguous, including phrases like 'experience', 'pace if applicable', and generic travel-planning language. This can cause accidental invocation in unrelated user conversations, leading to prompt-routing confusion, unintended disclosure of user context to the wrong skill, or policy bypass through overly permissive activation.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The example prompts use generic phrases such as 'help me', 'provide framework', and 'create checklist' that overlap heavily with normal travel-assistance requests. In a multi-skill environment, this increases the likelihood of over-broad matching and accidental invocation, which can degrade security boundaries between skills and produce unintended behavior.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.