Back to skill

Security audit

venue-polling

Security checks across malware telemetry and agentic risk

Overview

This skill is a real gym booking automation workflow that can automatically place a live reservation using embedded account credentials without a clear confirmation step.

Review before installing or running. Do not run the poller as-is unless you intentionally want it to create a real venue booking. Remove or rotate the embedded token, use only credentials and private keys you control, disable auto-booking by default, add an explicit confirmation step, and sanitize captured request examples.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation declares no permissions even though the bundled workflow clearly instructs reading local files and interacting with remote APIs. This under-declaration is dangerous because it hides the skill’s real capability surface from reviewers and users, reducing informed consent and making risky file/network actions easier to smuggle into normal use.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The documented behavior frames the skill as polling and signature debugging, but the referenced workflow also supports submitting real createOrder requests, using a hardcoded authentication token, and loading a private key to sign live booking actions. In this context, the mismatch is especially dangerous because it can enable unauthorized actions against a real user account and conceal credentialed transaction automation behind a seemingly diagnostic skill.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The script’s stated purpose is polling availability and inspecting signing helpers, but it is configured with AUTO_BOOK=True and includes live order creation against a production booking endpoint. In a skill context, this is dangerous because running or modifying the skill can trigger real reservations and charges without clearly disclosing that it performs transactional actions beyond observation.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The loop continuously polls and, upon detecting availability, immediately books and exits, which makes the script an automated reservation bot rather than a passive monitor. That increases risk of unintended purchases, account misuse, and policy violations because the behavior is autonomous and time-sensitive.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The default prompt says to use the skill to 'inspect, run, or modify' the venue polling and signed booking workflow, which is broad enough to match many user requests related to gyms, polling, debugging, or signatures. Because implicit invocation is enabled, this increases the chance the skill is activated in contexts where executing or altering sensitive booking-signing logic was not the user's clear intent.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
The file contains a captured HTTP request with live-looking authentication material, including a user token and a full request signature, embedded in plain text. In the context of a skill specifically intended to inspect or replay booking API signing flows, these values materially increase the risk of credential reuse, unauthorized API access, and abuse of the order-creation endpoint rather than serving as harmless documentation.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Automatic order creation is enabled by default and no interactive confirmation, warning, or review step occurs before the booking request is sent. In practice, anyone invoking the script with valid credentials could unintentionally place a real order, creating financial and operational consequences.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
A hardcoded bearer-like token is embedded in the script and automatically attached to outbound requests, exposing a sensitive credential in source code and enabling unauthorized use if the file is shared, logged, or committed. In the skill context, this is more dangerous because the token directly authorizes access to a real booking account and supports live transactional actions.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.