LovTrip Content Browser

Security checks across malware telemetry and agentic risk

Overview

This is a benign travel-search helper, with the main caveat that travel searches go to LovTrip and the optional CLI runs an external npm package.

Install this only if you are comfortable sending travel searches, destinations, and itinerary interests to lovtrip.app. Prefer the curl examples, or pin and review the npm CLI version, if you do not want to run npx lovtrip@latest.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 93% confidence
Finding: The skill instructs users to send search queries and destination interests to a third-party public API without any disclosure that those terms leave the local environment. While this is expected for a travel content browser, search terms can still reveal sensitive travel plans, locations, or personal interests, so the omission creates a privacy risk rather than a direct code-execution issue.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal