全球旅游助手

Security checks across malware telemetry and agentic risk

Overview

This travel skill is purpose-aligned and disclosed, with expected external lookups for live travel and exchange-rate data.

Install only if you are comfortable sending flight, hotel, and currency lookup details to external services. Booking links may include commission, and visa, safety, tax, and emergency information should be verified against official sources before travel.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The proxy-backed tools send user travel queries, dates, hotel searches, and potentially booking-related data to an external Tencent SCF endpoint, but the skill does not disclose this data flow to the user. In an agent setting, silent transmission of itinerary and travel-interest data creates a privacy and trust risk, especially because the endpoint is third-party infrastructure outside the local skill.

Missing User Warnings

Low

Confidence: 94% confidence
Finding: The exchange-rate function makes live requests to an external API based on user-supplied currency input without telling the user that the request leaves the local environment. Even though the transmitted data is relatively low sensitivity, undisclosed off-system transmission still poses a privacy/transparency issue in agent environments.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal