火车订票班次查询 - 聚合数据

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward train timetable lookup that runs a local Python script and sends route/date queries to Juhe as part of its advertised purpose.

Install only if you are comfortable using a Juhe API key and sending train search details such as departure station, arrival station, date, and filters to Juhe. Prefer an environment variable or a protected .env file for the key, and avoid passing the key on shared command lines.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill sends user-supplied route and date queries to a third-party provider but does not clearly warn users in the skill description that this data leaves the local environment. Travel plans can be sensitive, and lack of disclosure undermines informed consent and privacy expectations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal