qunar-travel-query

Security checks across malware telemetry and agentic risk

Overview

This travel-query skill is plausible, but it can send the configured Qunar API key to any runtime-supplied URL, so it should be reviewed carefully before installation.

Install only if you trust the operator and will use verified official Qunar HTTPS endpoints. Prefer a version that hardcodes or allowlists Qunar domains, removes arbitrary endpoint control, and only attaches the API key to approved Qunar hosts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (7)

Tainted flow: 'headers' from os.getenv (line 74, credential/environment) → requests.get (network output)

Critical

Category: Data Flow
Content: # 3. 发起请求 if method.upper() == "GET": response = requests.get( api_endpoint, headers=headers, params=api_params,
Confidence: 99% confidence
Finding: response = requests.get( api_endpoint, headers=headers, params=api_params, timeout=30 )

Tainted flow: 'headers' from os.getenv (line 74, credential/environment) → requests.post (network output)

Critical

Category: Data Flow
Content: timeout=30 ) else: response = requests.post( api_endpoint, headers=headers, json=api_params,
Confidence: 99% confidence
Finding: response = requests.post( api_endpoint, headers=headers, json=api_params, timeout=30 )

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The document explicitly states the skill uses a generic API query framework that supports custom API endpoints and parameters, which expands the capability far beyond a fixed Qunar travel lookup skill. In a skill that also configures an Authorization API key, this creates an SSRF-like/exfiltration risk because users may be induced to send authenticated requests to arbitrary destinations under the guise of normal travel queries.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Allowing arbitrary API endpoints is inconsistent with the declared purpose of a narrowly scoped travel information skill and materially increases the attack surface. A malicious prompt or misconfiguration could redirect requests to attacker-controlled infrastructure or unintended internal/external services while preserving the appearance of legitimate skill usage.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: Although described as a Qunar travel-information query tool, the script actually permits arbitrary URLs, so its real capability is far broader than advertised. This mismatch is dangerous in an agent setting because higher-level systems or users may trust it as narrowly scoped while it can reach attacker-chosen external services.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: Allowing arbitrary destination URLs plus caller-selected HTTP methods gives the skill unjustified generic network capability. In an agent environment, this can be repurposed for data exfiltration, probing, or sending authenticated requests outside the intended business function.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill instructs users to configure an API key in the Authorization header while also permitting custom endpoints, but it does not warn that the credential may be sent to whatever endpoint is supplied. This is a direct secret-exfiltration risk: an attacker can provide or influence a custom URL and cause the user's Qunar API key to be disclosed to an attacker-controlled server.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal