汽车票查询与预订

Security checks across malware telemetry and agentic risk

Overview

The skill appears intended for bus-ticket lookup, but the supplied evidence shows a date-specific search may be presented without actually querying that date.

Review this skill carefully before installing. If you use it, verify travel dates directly with the ticket provider before booking or paying, and avoid relying on date-specific availability or prices until the date handling is fixed or clearly documented.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The function parses and validates a user-supplied travel date, presents results as if they are for that parsed date, but never includes the date in the upstream ticket search request. This creates a security-relevant integrity issue: users may rely on stale or wrong-day schedules, prices, availability, and booking links, which can lead to misbooking and financial harm.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The code and docstring claim flexible date-based querying, but the implementation only uses the parsed date for display text and not for the actual search. This mismatch undermines output trustworthiness and can trick users into acting on incorrect travel information under a false assurance that the requested date was honored.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal