酒店机票预订

Security checks across malware telemetry and agentic risk

Overview

This hotel-booking skill appears to overstate reservation abilities and could mislead users into thinking a booking was made when the artifacts show no real booking workflow.

Review before installing. Treat this as a search/demo helper unless the publisher fixes the documentation and implements real reservation flows with clear confirmations, confirmation IDs, cancellation/charge warnings, and disclosure of data sent to Booking.com or partners.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill clearly depends on external Booking.com APIs, which implies network access, yet no explicit permissions or equivalent declaration are present. That gap weakens reviewability and user/operator awareness, and in a travel-booking context network access can expose user itinerary, reservation, or personal data to external services without clear governance.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 81% confidence
Finding: The documented behavior is inconsistent: it claims booking and reservation management, adds review retrieval and helper/rendering behavior not reflected in the top-level description, and may not actually implement the sensitive reservation actions it advertises. In a booking skill, this mismatch is dangerous because users may trust the agent to create, query, or cancel reservations when it cannot, or may disclose personal/travel data under false assumptions about what the skill actually does.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The skill metadata and module behavior are misaligned: it claims Booking.com booking and reservation-management support, but the code only implements hotel search, detail lookup, reviews, and text formatting with mock data. In an agent setting, this can mislead users and orchestrators into believing bookings or reservation changes occurred when no such transactional functionality exists, causing operational and trust failures.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The formatted user-facing text says replying with a room number will book a room, but the code performs no booking action at all. This is dangerous because users may disclose personal details, rely on nonexistent reservations, or believe a purchase was completed when the system has no transactional backend or confirmation mechanism.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill describes creating, querying, and canceling reservations but does not warn that these actions may transmit guest information, modify bookings, incur charges, or affect user travel plans. In this context that omission is especially risky because booking flows commonly involve personal data, payment-adjacent consequences, and irreversible account-impacting operations.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal