Hokkaido Travel Companion

Security checks across malware telemetry and agentic risk

Overview

This is a travel-planning skill that stores trip notes locally, with no evidence of hidden execution, exfiltration, or destructive behavior.

Install only if you are comfortable with the agent keeping local trip notes and budget details. Review or delete the local vault and memory/travel-budget.json before sharing or publishing the skill folder.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly instructs the agent to collect user preferences and store reusable travel knowledge in a local vault, but it provides no user-facing disclosure, consent step, or retention guidance. This creates a real privacy risk because itinerary details, preferences, and potentially sensitive travel patterns may be persisted locally without the user realizing their data is being written and reused later.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The setup flow asks for daily budget, IC card type, hotel nearest station, and trip dates, then directs the agent to save them to memory/travel-budget.json without warning the user that this information will be written to disk. While not overtly malicious, this is a concrete privacy and data-handling flaw because it persists location-adjacent and behavioral data that could expose travel plans or habits if the device or storage is accessed by others.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal