途牛旅游CLI技能
Security checks across malware telemetry and agentic risk
Overview
This travel-booking skill is coherent, but it can create or cancel travel orders and submit personal details through an external CLI without clearly requiring final user confirmation.
Review before installing. Use a dedicated or least-privilege Tuniu API key if possible, avoid exposing the key or traveler PII in logs, pin or verify the external CLI package, and instruct the agent to ask for explicit confirmation before any order creation, booking, or cancellation.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
VirusTotal
63/63 vendors flagged this skill as clean.