Back to skill

Security audit

dive trip planner

Security checks across malware telemetry and agentic risk

Overview

This is a coherent dive-trip planning skill that asks for travel preferences, searches flyai, and shows booking links, with privacy and link-verification cautions but no hidden or destructive behavior.

Install only if you are comfortable sharing dive-trip preferences with flyai for travel search. Treat all flight, hotel, and dive-shop links as external booking links, verify the destination and operator reputation, and do not enter payment or passport details unless you trust the third-party site.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The skill description includes broad trigger examples such as '帮我找个潜水店', which can match ordinary travel or recommendation requests and cause the skill to activate unexpectedly. Mis-triggering can expose users to unnecessary collection of itinerary, budget, and certification details and can route them into a booking workflow they did not explicitly request.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to collect detailed travel dates, departure city, party composition, budget, hotel room preferences, and diving certification information, then query an external service, but it provides no privacy notice or consent step. This creates a data-handling risk because sensitive travel-profile data may be transmitted to flyai without the user understanding what is shared or why.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The report template requires clickable booking links for flights, hotels, and dive shops, but it does not warn users that these links lead to external booking actions. In a transactional context, unlabeled outbound links increase phishing, spoofing, and unintended-purchase risk because users may treat them as trusted in-platform actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.