DB Travel

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Deutsche Bahn travel lookup tool that makes disclosed network requests and shows no evidence of hidden data access or persistence.

Install only if you are comfortable with travel queries being sent to v6.db.transport.rest. No API key is needed, and the reviewed code does not access local files or secrets, but outbound network access is required for the skill to work.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 96% confidence
Finding: The skill explicitly instructs users to run a Python script that makes outbound requests to the Deutsche Bahn public API, but the skill metadata shown here does not declare any corresponding network permission. Undeclared network capability weakens sandboxing and review controls because operators and users cannot accurately assess what external communication the skill performs, even if the current documented endpoint appears benign.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal