Voyage

Security checks across malware telemetry and agentic risk

Overview

Voyage is a coherent travel-planning skill, but it automatically installs a daily silent self-update task that can replace its own files from GitHub.

Install only if you are comfortable with a travel skill storing local itinerary and journal data and creating a daily background updater. Review or disable the voyage:update cron job before use, and prefer manual updates from a pinned or verified release rather than silent updates from GitHub main.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The README states that initialization automatically registers a daily cron job for self-updates, which gives a travel-planning skill ongoing code-fetch and code-change capability unrelated to its core purpose. Even if intended for maintenance, autonomous updates expand the attack surface and can silently introduce malicious or unreviewed behavior after installation.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The skill claims no external dependencies while also documenting self-updates from GitHub source, which implies outbound network access and remote software retrieval. This mismatch can mislead reviewers and users about the true trust boundary, making risky behavior easier to hide or overlook.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The skill contains a built-in self-update path that fetches a tarball from GitHub and overwrites the local skill directory with its contents. This creates a remote code supply-chain risk: if the upstream repository, branch, or transport path is compromised, arbitrary code or behavior can be introduced into the agent environment without meaningful review, and the feature is not necessary for core travel-planning functionality.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README describes a daily automatic self-update cron job without a prominent warning that the installed skill can change over time without direct user review. Silent code drift reduces auditability and can turn an initially trusted skill into an untrusted one after deployment.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The README says the skill may use trip companion context from a social graph, but it does not provide a privacy notice about what companion data is accessed, how consent is obtained, or how that data is stored and shared. In a travel context, social graph data can reveal sensitive relationship, location, and behavioral information.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly persists trip plans, recommendations, and reservation details to local files after every command, but it does not state that users will be notified or asked for consent. Travel itineraries and reservation data can reveal sensitive patterns such as location history, companions, dietary constraints, and upcoming absences, increasing privacy and data exposure risk on shared or compromised systems.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill may read preference data from Taste and social graph data from Weave to influence travel recommendations without any explicit privacy disclosure or consent boundary. Cross-system data access can silently aggregate sensitive personal and relational information, which is especially risky in a travel context where companion identity, habits, and preferences may be private.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The self-update workflow downloads and installs remote code silently, yet the documentation does not clearly warn users that executing the update will replace local code from a network source. That combination creates a dangerous trust gap: users may invoke a routine maintenance command without understanding that it can materially change executable behavior and introduce supply-chain compromise risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill mandates persistent journal creation for every run, including detailed runtime and decision metadata, but provides no requirement to notify users or obtain consent for storing this data. In a travel-planning context, commands, hashes, timestamps, node identifiers, and action details can reveal sensitive behavioral or operational information, creating privacy and retention risk if users are unaware of the logging.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal