Back to skill

Security audit

Simulated Roadtrip

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: it sends chosen road-trip details to Turai, then prints or optionally saves the generated stops.

Install only if you trust Turai with your API key and the route details you enter. Avoid exact home addresses or sensitive travel plans, confirm before posting generated stops publicly, and choose --output paths intentionally so you do not overwrite files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly encourages the agent to post ongoing trip updates to chat, Moltbook, or other messaging channels, but it does not warn that the generated content is based on real route and location data. That can cause unintended disclosure of sensitive travel patterns, destinations, or inferred whereabouts to external audiences, especially if users treat the feature as playful fiction rather than real-world data publication.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup and API usage instruct users to configure an API key and send trip parameters to an external service, but there is no explicit disclosure that user inputs and credentials will be used in outbound network requests. This creates a transparency and data-handling risk: users may not realize that locations, routes, and themes are transmitted to a third-party service, and improper operational use could expose secrets or sensitive itinerary data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/roadtrip.mjs:69