Back to skill

Security audit

Travel Planner Pro

Security checks across malware telemetry and agentic risk

Overview

This travel-planning skill is not clearly malicious, but it stores sensitive trip/profile data and makes privacy claims that understate external lookups and optional remote syncing.

Review this skill before installing if you care about travel privacy. Avoid storing passport numbers, loyalty member numbers, confirmation codes, or unnecessary companion details; assume web searches, weather lookups, dashboard sync, and shared itineraries can expose trip metadata to third parties; and require confirmation before file writes, script execution, remote sync, or sending itineraries.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Intent-Code Divergence

Low
Confidence
89% confidence
Finding
The prompt tells users that only the passport expiry date is stored and not the passport number, but it still persists passport validity data to disk as part of the travel profile. This is not a direct exploit primitive, but it is a privacy/transparency issue because users may underestimate that travel-related personal data is being retained locally.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The function claims to remain within the skill boundary, but it walks upward until '/' and returns the first parent directory it encounters. That can cause the script to treat a parent workspace as its root and read trip/config files outside the intended skill directory, enabling unintended data exposure or cross-skill data access if the script is run from an unexpected location or packaged inside a larger tree.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README makes strong privacy and security claims such as 'Zero data exfiltration' and 'stay on YOUR device' while also stating the skill requires internet access and works with external LLM providers. Without clear warnings that destination details, budgets, passport-related information, and other travel data may be transmitted to third-party services or exposed through web research workflows, users may be misled into sharing sensitive information under false assumptions of local-only processing.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The setup flow instructs the agent to create directories, copy files, and change permissions immediately, without first warning the user that local filesystem changes will occur. In an agent context, silent writes and overwrites reduce user control and can violate expectations about what the skill is allowed to modify.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill collects a substantial amount of personal travel data, including airport, dietary needs, companions, and passport expiry, and stores it in a local JSON file without a clear retention and privacy warning. Even if stored locally, this data can be sensitive and its persistence meaningfully increases privacy risk if the workspace is shared, synced, or later exposed.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrase "surprise me" is broad, natural language that could easily appear in unrelated conversation. In agent systems that route actions from conversational triggers, ambiguous activation phrases can cause unintended skill invocation and unexpected data use or planning behavior.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The usage trigger is broad enough to activate on ordinary travel-related conversation, causing the skill to engage and potentially read/write profile or trip files without an explicit user request to use this skill. Because the skill handles sensitive travel data and has access to external fetch/search, over-broad invocation increases the chance of unintended data processing and tool use.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The manifest explicitly models storage of sensitive personal travel data, including itineraries, companions, and loyalty membership numbers, but provides no indication of privacy notice, consent flow, retention limits, or data-handling safeguards. In a travel-planning context this data can reveal physical presence, habits, associations, and account identifiers, increasing privacy and targeting risk if exposed or mishandled.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The example normalizes saving trip JSON and related files without any explicit user-facing notice about file creation, storage location, or what personal travel data will be written. While the content is only an example and does not itself execute code, it can encourage implementations that persist potentially sensitive itinerary details without clear consent or transparency.

External Transmission

Medium
Category
Data Exfiltration
Content
- Current visa requirements for the user's nationality
   - Local customs, tipping norms, and safety considerations
4. **Weather check.** Use `web_search` or `web_fetch` to query Open-Meteo (free, no API key) for the travel dates:
   - URL pattern: `https://api.open-meteo.com/v1/forecast?latitude={lat}&longitude={lon}&daily=temperature_2m_max,temperature_2m_min,precipitation_probability_max&timezone=auto&start_date={YYYY-MM-DD}&end_date={YYYY-MM-DD}`
   - Tag each day's activities as "Rain-friendly ☂️" or "Sunny-only ☀️"
   - If rain is forecasted, swap outdoor activities for indoor alternatives
5. **Geographic clustering.** Group activities by neighborhood/area per day. NEVER schedule activities in distant neighborhoods back-to-back without noting transit time. Use this logic:
Confidence
89% confidence
Finding
https://api.open-meteo.com/

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
## Data Management & Security

- **Permissions:** All directories under `travel/` use `chmod 700`. All data files use `chmod 600`.
- **Sensitive data:** Passport numbers are NEVER stored in full. Only expiry dates and "valid" status. No credit card numbers. No booking passwords.
- **Sanitization:** Trip IDs use slugified destination + date (e.g., `tokyo-2026-04`). No special characters in filenames.
- **No hardcoded secrets:** No API keys, URLs, or credentials in scripts or config. Weather API (Open-Meteo) requires no key.
Confidence
86% confidence
Finding
Permissions:*

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
SKILL.md:18