Mexico

Security checks across malware telemetry and agentic risk

Overview

This Mexico travel skill is a local guide that stores trip preferences in a dedicated local folder and shows no evidence of network access, exfiltration, or destructive behavior.

Safe to install if you want a Mexico travel-planning assistant. Be aware it may save trip dates, budget, dietary needs, mobility needs, bookings, and preferences in ~/mexico/memory.md; review or delete that file if you do not want those details retained locally.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The activation trigger is broad enough that ordinary mentions of Mexico travel could cause the skill to initialize and begin collecting/storing user information without a clearly bounded consent step. In this travel-planning context the data is not inherently highly sensitive, but ambiguous triggering increases the chance of unintended persistence and privacy surprises.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill instructs the agent to create a local directory and persist user travel preferences without any notice, opt-in, or retention controls. Even for a benign travel guide, this creates a real privacy risk because itinerary details, budget, mobility needs, and dietary constraints may be sensitive personal data and could be stored unexpectedly across sessions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal