Niu Vehicle

Security checks across malware telemetry and agentic risk

Overview

This skill transparently queries NIU scooter status, including location, using the user's NIU API key.

Install only if you are comfortable letting the agent use your NIU API key to retrieve live scooter status, including location. Treat the key and returned location as private, prefer a revocable key, and be aware setup may require jq even though only curl is declared.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill handles sensitive data: a persistent API key and real-time vehicle location, but the user-facing description and setup guidance do not include any privacy notice, consent language, or warning about exposing location/account-linked telemetry. In this context, the omission matters because the skill is explicitly designed to retrieve a scooter's whereabouts and account-associated status, which increases the risk of unintended disclosure or misuse by users who may not realize the sensitivity of the data being queried.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal