tper-hellobus

Security checks across malware telemetry and agentic risk

Overview

This is a coherent public bus-arrival lookup skill, with a disclosed but broader-than-ideal shell-based API call that users should handle carefully.

Install only if you are comfortable allowing the agent to make requests to the TPER Hellobus domain. Use numeric stop codes and line numbers, and prefer an environment that confirms shell commands or replaces the curl step with a scoped HTTP request tool.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The skill explicitly instructs the agent to use `bash_tool` with `curl`, which expands a simple transit lookup into shell-capable execution. Even though the shown command is a fixed HTTPS request, routing user-derived parameters through shell tooling increases injection and tool-misuse risk compared with a constrained HTTP client, especially if inputs are not strictly validated and escaped.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal