Back to skill

Security audit

全球酒店搜索预订Skill-RollingGo2.0新版本

Security checks across malware telemetry and agentic risk

Overview

This hotel skill mostly fits its travel purpose, but it needs review because it can install executable tooling and create real booking orders despite unclear safety boundaries.

Review this skill before installing. Use it only if you are comfortable with a travel skill installing local/global CLI software and potentially creating real hotel orders. Before any booking action, require the agent to show the exact hotel, room, dates, total price, cancellation terms, and contact details, then get your explicit confirmation. Avoid using order-history commands unless you intend to reveal past travel and contact information in the current agent session.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill invokes shell-capable installers and network downloads (`npm install`, `python scripts/install.py`, manual GitHub binary retrieval) without declaring equivalent permissions or narrowing execution scope. This creates a trust gap where a host may treat the skill as low-privilege while it actually introduces code execution and remote supply-chain exposure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The stated purpose is hotel search/booking/monitoring, but the skill behavior includes software installation, executable download, and local binary preparation. That mismatch is dangerous because reviewers and users may authorize a travel skill without realizing it also performs privileged environment modification and executes third-party code.

Description-Behavior Mismatch

High
Confidence
87% confidence
Finding
The document claims the skill only provides booking links and does not place orders, yet earlier instructions direct the agent to call `rgh book` to create real orders. This contradiction can cause unsafe autonomous purchases because operators or users may rely on the boundary statement while the workflow still enables transactional side effects.

Intent-Code Divergence

High
Confidence
86% confidence
Finding
The boundary section conflicts with the earlier order-placement workflow, indicating an intent/behavior split inside the same skill. Such inconsistency is security-relevant because safety controls, policy engines, or human reviewers may trust the less-dangerous statement while the actual prescribed behavior still performs real booking actions.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger conditions are extremely broad and include common lodging/travel terms, making accidental invocation likely in ordinary conversation. In this skill context, unintended activation is more dangerous because the workflow can lead to login prompts, external installs, network calls, and even order-creation steps if the conversation continues.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The `book` command creates a real hotel order and returns a live payment URL, but the documentation does not require any explicit user-confirmation or user-facing warning before invoking it. In an agent setting, this increases the risk of unintended purchases, social-engineering-driven bookings, or users being funneled into a payment flow without clearly understanding that a binding transaction is being initiated.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The `orders` command returns booking history and personal data including hotel stays, contact names, and email addresses, yet the documentation provides no privacy notice, access-control expectations, or guidance on minimization when presenting results. In a conversational agent context, exposing historical travel data can leak sensitive personal information to the wrong person if session boundaries, authentication, or confirmation are weak.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script downloads a platform executable from the network and writes it locally, then marks it executable on Unix-like systems, without verifying a checksum, signature, or trusted release identity. If the upstream release, transport endpoint, or local trust boundary is compromised, users can be tricked into installing and later executing a malicious binary.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The installer performs a global npm installation that changes system state without an explicit upfront consent step. In security-sensitive environments, silent installation of a latest package increases supply-chain risk and can surprise users by modifying globally available tooling.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.