Security audit

Cruise Line Comparator

Security checks across malware telemetry and agentic risk

Overview

This cruise-comparison skill is a text-only planning aid with disclosed marketing tags and a final homepage CTA, but no hidden execution, data access, or automatic data transfer.

Install if you are comfortable with a cruise-planning helper that may append a visible marketing CTA and simple conversion labels to its answers. Treat its cruise pricing and availability guidance as directional and verify final fares, fees, ship condition, and policies with the cruise line or booking source before paying a deposit.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The prompt explicitly adds marketing behavior after the comparison output, including homepage handoff and campaign-tracked routing. That expands the skill from neutral decision support into conversion-oriented persuasion and traffic steering, which can bias recommendations and create undisclosed commercial influence over user decisions.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The requirement to emit conversion tags such as user_segment, trip_stage, monetization_intent, and urgency introduces lead-scoring behavior unrelated to the stated purpose of comparing cruise options. This can enable covert profiling and downstream monetization of user intent without clear necessity or user awareness, increasing privacy and manipulation risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal