Security audit

一站式旅行预订

Security checks across malware telemetry and agentic risk

Overview

This hotel booking skill is advertised as a live Booking.com reservation assistant, but its code returns mock hotel, room, price, review, and cancellation data as successful results.

Review before installing. Do not rely on this skill for real hotel availability, prices, taxes, reviews, cancellation terms, or reservations unless the publisher replaces the mock data with verified Booking.com API calls and adds explicit confirmation and privacy safeguards before any booking or cancellation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill advertises reservation creation, lookup, and cancellation without an explicit warning that actions may affect real bookings or incur charges. In a travel-booking context this is materially risky because a user could trigger real-world financial or itinerary changes through ambiguous prompts, especially if confirmation and consent steps are not enforced.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.