潜水旅行助手

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed dive-travel helper that sends travel searches to external proxy-backed providers, which is privacy-sensitive but aligned with its stated purpose.

Install only if you are comfortable sending travel dates, origins, destinations, hotel searches, and location/food queries through the skill’s SCF proxy services. Treat prices and booking links as third-party results, and avoid entering sensitive personal details beyond what is needed for search.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill sends user-supplied travel queries to three hard-coded third-party proxy endpoints, including origin/destination, dates, hotel searches, routing, and food-location lookups, without any disclosure or consent mechanism. This creates a real privacy and data-governance risk because sensitive itinerary and location data is exfiltrated outside the local skill boundary to opaque services the user cannot evaluate.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal