Security audit

永东直通巴士查询

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward eebus/Yongdong bus schedule lookup that runs one local Node script and contacts the bus service, with no credential access, persistence, or system changes.

Before installing, be aware that queries will contact www.myeebus.com and disclose the requested route, date, stops, and your IP address to that service. For generic Shenzhen/Hong Kong travel questions, confirm you actually want an eebus bus lookup because the trigger wording is somewhat broad.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The skill description includes broad phrases such as '去深圳', '回香港', and generic ticket/bus queries that could match many ordinary travel requests lacking explicit reference to eebus. Over-broad activation can cause the wrong skill to run, leading to unintended data handling, confusing outputs, or execution of external scripts on unrelated user requests.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: Examples like '5月1号回香港有什么班次', '后天去莲塘口岸的巴士', and '下周六回深圳' are ambiguous because they omit the provider and could refer to other transport modes or services. In this context, ambiguous examples materially increase the chance of accidental invocation of this bus-query skill for unrelated travel queries.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal