Security audit

City of Vancouver Open Data

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward tool for querying Vancouver public open-data datasets, with no hidden credential access, destructive actions, or unrelated behavior found.

Install this if you are comfortable letting the agent run the included Python script and make HTTPS requests to opendata.vancouver.ca. It may create a small local cache beside the script, and exported files are only created when output is explicitly redirected, such as saving CSV results.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The trigger phrases `vancouver transit` and `vancouver permits` are broad enough to activate this skill for generic city-information requests, causing unintended routing to a Bash-enabled skill. While not directly malicious, overbroad invocation can increase exposure to unnecessary command execution paths or confuse users by selecting a tool that is more powerful than needed.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal