Travel Search Flight Train Scenery - 旅行搜索航班火车景点

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed travel-search helper that queries travel providers and uses a JisuAPI key for train lookups, with no evidence of hidden or destructive behavior.

Install only if you are comfortable sending travel search details to ly.com and JisuAPI. Use a dedicated JISU_API_KEY where possible, watch quota or billing, and consider installing the Python dependencies in a virtual environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 85% confidence
Finding: The skill requires environment access for an API key, reads local files such as `airport.md`, and performs network requests, but the manifest does not declare explicit permissions for those capabilities. This weakens sandboxing and reviewability because consumers cannot accurately assess what the skill can access before execution, increasing the risk of unintended data exposure or overly broad runtime access.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The trigger description is broad and loosely scoped, covering generic travel-planning requests and 'similar' queries. Overbroad routing can cause the skill to be invoked unexpectedly, leading to unnecessary external requests, use of the API key, and unintended sharing of user travel queries with third-party services.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal