Security audit

差旅预订助手

Security checks across malware telemetry and agentic risk

Overview

This booking skill is not malware, but it advertises live Booking.com booking support while returning hardcoded hotel, room, price, policy, and review data as successful results.

Review before installing. Treat this as an incomplete or demo-like skill: do not rely on its hotel availability, prices, taxes, cancellation policy, reviews, or booking prompts unless the publisher replaces mock data with verified API responses and adds explicit user confirmation before any booking or cancellation action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill declares an external travel-booking function set and explicitly references Booking.com APIs, but the manifest does not declare any corresponding network permission or equivalent capability boundary. This creates a transparency and governance gap: users and platforms cannot accurately assess what external communication the skill may perform, which increases the risk of unreviewed data exfiltration or unauthorized outbound requests.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill metadata advertises booking and reservation management, but this file only provides mocked, read-only hotel search/detail/review formatting. In an agent setting, this capability mismatch can mislead users or upstream orchestration into believing booking actions occurred when they did not, causing transactional integrity and trust issues.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The formatter tells users that prices include taxes and fees and that free cancellation is supported, but the code does not verify either condition from API data. For a travel-booking skill, these are material commercial terms, so presenting unverified claims can mislead users into making purchases based on false assumptions and create financial or legal exposure.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill supports creating, querying, and canceling live hotel reservations but does not require an explicit user warning or confirmation flow before performing actions that may incur charges, penalties, or irreversible booking changes. In a travel-booking context, this is especially dangerous because mistaken or coerced actions can directly cause financial loss, reservation loss, or trip disruption.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill states that it uses Booking.com APIs with API-key authentication and reservation-related endpoints, but it does not warn users that guest details, itinerary information, and reservation data may be transmitted to an external service. Because hotel booking workflows commonly involve personal and travel data, the omission reduces informed consent and increases privacy and compliance risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal