Security audit

老人自由行旅游出行管家

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed elder-travel assistant, but it asks agents to handle emergency dispatch, health records, live location, media sharing, and delegated authority with weak boundaries.

Review before installing. This is not a hidden-malware style package, but it should only be used in a tightly permissioned environment with explicit opt-in from each traveler, strong identity checks, emergency-action safeguards, human escalation paths, audit logs, data retention limits, and hard confirmation before posting media, changing bookings, submitting reviews, or contacting third parties.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (59)

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The README defines the core skill as a router, but nearby documentation and examples blur that boundary and imply the core entrypoint may directly trigger operational actions such as contacting providers, notifying children, emergency escalation, and outbound messaging. In a safety-sensitive elder-care travel context, this scope ambiguity can cause over-privileged routing behavior, unexpected side effects, and accidental invocation of sensitive actions without clear consent or separation of responsibilities.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The documented capability set expands from travel assistance into health monitoring, medical escalation, anti-fraud detection, and hospital coordination, which are materially more sensitive than simple intent routing. This scope creep increases risk because the system may process health and location data or initiate emergency contacts under a travel-assistant umbrella without sufficiently clear justification, governance, or least-privilege boundaries.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill is presented as a routing/coordinating entrypoint, but its documented behavior includes initiating real-world emergency actions such as calling 120, notifying family, and dispatching assistance. This capability expansion is dangerous because users, reviewers, and downstream systems may grant the skill broader authority than intended, enabling unintended or unauthorized external actions during ambiguous or misclassified inputs.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The documentation claims the core skill directly acquires location, contacts guides and family, marks suspicious persons, and performs fraud-response handling, which exceeds a simple coordinator role. In a safety-critical elder-care travel context, this mismatch increases the risk of over-privileged deployment, unexpected data handling, and unsafe automated interventions triggered by normal conversation.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The skill stores and shares highly sensitive data including health profiles, emergency contacts, and precise GPS location, yet this broad access is not clearly minimized or justified for a routing entrypoint. Because the target users are elderly travelers in emergency scenarios, misuse, over-collection, or over-sharing could expose medical and location data, facilitate stalking or fraud, and amplify harm during already vulnerable moments.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The examples document the 'core entry' skill as directly performing privileged downstream actions far beyond intent recognition and routing, including emergency dispatch, contacting providers/relatives, changing arrangements, submitting reviews, and social sharing. In an agent system, this kind of scope expansion is dangerous because it encourages a front-door skill to accumulate broad authority and act on sensitive user data and external systems without clear capability boundaries or explicit confirmation.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The file describes auto-sharing travel videos to WeChat Moments and Douyin, which is outside the stated purpose of an elder travel-care entry skill and creates unnecessary access to social accounts and public posting flows. This increases the blast radius of the skill and can expose sensitive travel history, identities, and photos through unauthorized or overly broad sharing.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The emergency scenario gives the skill authority to retrieve health records, call emergency services, notify family, and coordinate medical response, all exceeding a simple recognition/routing role. Because these actions involve highly sensitive medical and location data plus real-world intervention, overbroad capability in a central skill materially raises privacy, safety, and misuse risks.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The skill exposes real-time parental location and trip progress to a child user even though the skill’s stated purpose is itinerary generation and elder-friendly trip viewing. Because the tracked users are elderly travelers and no consent, minimization, or access-control flow is described, this creates a meaningful privacy and surveillance risk that could enable unauthorized monitoring or stalking if account access is abused.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The skill goes beyond itinerary display by generating a 'legally effective' authorization letter containing highly sensitive identity data such as child name, ID number, relationship details, and digital signature. This materially expands the trust boundary and could facilitate identity misuse, forged authority, or overbroad delegation if the document is generated, shared, or verified without strong legal review and security controls.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The skill defines direct health monitoring, triage, and emergency intervention workflows, including automatic escalation actions, which materially exceed a router/coordinator role. In a travel assistant for elderly users, this is dangerous because users may rely on the system for medical judgment and emergency handling without clear safeguards, validation, or human oversight.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill introduces surveillance-style behaviors such as persistent location awareness, abnormal spending detection, route deviation checks, and anti-fraud interventions, none of which fit a simple entry-point/router scope. In this context, the mismatch increases privacy and abuse risk because the skill could normalize covert monitoring of elderly travelers without explicit boundaries or approvals.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The document specifies proactive scheduling, reminders, outbound calls, and automation workflows rather than only coordinating across skills. This expansion of authority raises the risk of unintended actions, spam-like contact, and silent task execution beyond what users or operators may expect from the core entry skill.

Description-Behavior Mismatch

High

Confidence: 93% confidence
Finding: The skill is presented as a review/feedback collector, but it also performs complaint handling, remediation promises, and compensation-related workflows. This scope expansion is dangerous because it can cause the agent to take or imply operational actions beyond its verified authority, leading users to rely on unsupported interventions during service failures or disputes.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The document states that reviews update provider credit scores and trigger provider-side operational notifications, but the skill is framed as a simple feedback channel. Tying user speech-derived reviews to business scoring and downstream actions without clear controls increases the risk of unauthorized or unintended business-impacting changes from misclassification, spoofed input, or mistaken identity.

Intent-Code Divergence

High

Confidence: 96% confidence
Finding: The '我的处理' section promises concrete outcomes such as contacting a hotel manager, arranging a room change, and securing compensation, but those actions are not supported by the shown implementation. This is dangerous because users may trust the agent to resolve lodging and safety-affecting issues that the system cannot actually execute, delaying real support and creating deceptive automation behavior.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The complaint example claims immediate intervention, on-site support, refund processing, and ticket creation without documented implementation. In the travel context, especially for elderly users facing coercion or safety concerns, false assurances can materially worsen harm by causing them to wait for help that was never actually dispatched.

Context-Inappropriate Capability

High

Confidence: 94% confidence
Finding: The skill exposes social sharing and even auto-posting behavior that goes beyond a travel-core router/orchestrator role and can cause unapproved disclosure of personal travel media. In this elderly-focused context, the risk is amplified because users may not understand platform visibility, and the dialogue suggests posting on their behalf with minimal friction.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The use of face recognition to identify travelers and voice cloning of children introduces biometric and identity-sensitive processing that is not justified by the parent skill's stated routing purpose. These capabilities can enable privacy violations, impersonation, and misuse of family members' likeness and voices without robust consent controls.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The file documents a full AI video-production and publishing workflow, which is materially inconsistent with the manifest's described elder-travel routing/coordinator function. Scope mismatch is dangerous because it can conceal privileged or privacy-invasive capabilities inside a trusted orchestration surface, making review, permissioning, and user expectations unreliable.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The file documents powerful emergency-dispatch and health-record APIs inside a core skill whose declared role is only intent recognition, routing, and coordination. This expands the effective authority of the core entry point to include medical, location, and notification actions, increasing the chance that a broad front-door skill can invoke high-impact capabilities without proper specialization, separation of duties, or tighter review.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The health-profile management APIs allow creation, retrieval, and update of sensitive medical records, which is materially beyond a simple coordinator skill's stated purpose. When a routing entry point is associated with long-term medical record handling, it creates unnecessary concentration of sensitive capabilities and raises the risk of unauthorized access, over-collection, and misuse of protected health information.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The documented rule that emergency actions execute even when authentication fails creates an authorization bypass for extremely sensitive operations such as ambulance dispatch, family notification, and location-based intervention. In a travel concierge context, this is especially dangerous because the core skill may be broadly reachable, so an attacker or buggy integration could trigger real-world actions and privacy disclosures without establishing identity first.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The skill is described as a routing/coordinator entrypoint, but this file documents additional operational capabilities including face recognition, AI video generation, and electronic authorization. Expanding the apparent tool surface beyond the declared purpose increases the chance of unsafe invocation, over-privileged integrations, and misuse of sensitive functions by downstream agents or maintainers.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The changelog explicitly shifts from user-uploaded media to AI automatically collecting travel media, but provides no notice, consent flow, scope limitation, or retention controls. In a senior-focused travel assistant, silent capture of photos/videos can expose highly sensitive personal, biometric, and location-linked data, especially because the users may be less able to understand or revoke collection.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal