Transit Risk Assessment & Delay Hotel Recommendations & Last-Mile Transport Check

Security checks across malware telemetry and agentic risk

Overview

This is a coherent travel-risk helper, but users should understand it may send itinerary details to external travel, hotel, and transport services despite a brief privacy statement.

Install only if you trust the external MCP providers and can control the API keys they receive. Treat itinerary, airport, city, and possibly location-derived data as data that may be processed by those providers, and keep proactive SMS/email/push notifications opt-in.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The skill claims it does not share user location with third parties, but its design explicitly depends on external MCP services for travel, hotel, and city transport lookups that would require transmitting itinerary, destination, and potentially location-derived data. This creates a privacy-consent mismatch that can mislead users and operators, causing unauthorized disclosure of sensitive travel data to external providers.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal