Security audit

去哪不挤

Security checks across malware telemetry and agentic risk

Overview

This is a coherent offline travel-report skill that reads bundled templates and writes local report files, with no evidence of credential access, network calls, exfiltration, or destructive behavior.

Install only if you want a travel skill that automatically generates local Markdown and HTML report files. Run it in a workspace where those files are acceptable, and be aware that the fixed latest report filenames may replace earlier outputs. The skill appears offline and does not use live pricing, live crowd data, credentials, or external APIs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill instructs the agent to read local reference files and write multiple output files, but the metadata does not declare any permissions or warn the user about filesystem access. This creates a transparency and authorization gap: users may invoke a travel-report skill without realizing it will access and persist local data in the working directory.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill mandates creation of several local Markdown and HTML files, including a fixed latest-alias file, without any user-facing warning or opt-in. Unannounced file creation can clutter shared workspaces, overwrite existing files, or leave sensitive trip-planning content behind in persistent storage, making the behavior riskier than a purely conversational skill.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The skill enables implicit invocation without defining any trigger scope, exclusion rules, or tighter policy constraints. That can cause the agent to auto-select this skill in loosely related travel conversations, increasing the chance of unintended data exposure, surprising behavior, or report generation in contexts the user did not clearly request.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The alias list includes very broad terms such as “周边”, “短途”, and “人少”, which are not unique to this frame and can match many unrelated travel queries. In a routing skill, this can cause the wrong destination frame to activate, producing misleading recommendations and degrading trust in the system’s decision logic.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: Aliases like “海边”, “看海”, “海岛”, and “沙滩” are extremely generic and are likely to match a wide range of user requests that are not specifically about the Sanya-vs-Okinawa decision frame. This creates trigger ambiguity that can route users into an overly narrow recommendation path, reducing accuracy and potentially leading to inappropriate travel advice.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The Hangzhou frame uses ambiguous aliases like “周边不挤” and “短途更舒服,” which describe broad travel preferences rather than a clear Hangzhou-specific context. This increases the chance that users from other cities or with unrelated short-trip requests are incorrectly mapped to this frame.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: Terms like “城市”, “大城市”, “citywalk”, “看展”, and “都市” are common travel descriptors with very low specificity. In this skill’s context, such aliases can cause broad accidental activation of the Beijing-Seoul frame for many general urban-travel queries, resulting in misrouting and poor recommendation quality.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: Aliases such as “美食”, “舒服”, “慢节奏”, and “放松城市” are lifestyle descriptors shared by many destinations and user intents. Their use as direct triggers makes the Chengdu frame overly permissive, which can misclassify broad travel queries and skew users toward this specific recommendation set.

VirusTotal

49/49 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.