Back to skill

Security audit

China Tips Ko

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed China-travel helper that sends travel questions to an external proxy/API, with privacy considerations but no evidence of hidden, destructive, or unrelated behavior.

Install only if you are comfortable sending China travel questions, dates, preferences, budgets, and itinerary details to the publisher's proxy and TripGenie. Avoid entering passport numbers, payment details, health information, or other sensitive personal data. Note that the script hardcodes its proxy URL and token despite declaring environment variables, so users have limited configuration control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares only the bash tool and environment variables, but its documented behavior clearly sends user queries to an external proxy and onward to a third-party API, which is a network capability. When network use is undeclared, users and reviewers cannot accurately assess data egress, making consent and policy enforcement weaker. In this context, the skill handles free-form travel queries that may contain personal itinerary details, so hidden outbound transmission increases privacy and governance risk.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The invocation scope covers very broad, ordinary travel questions, causing the skill to activate for many generic prompts that could be answered without external tool use. Overbroad triggering can silently route unrelated or only loosely related user content to the proxy/API, increasing unnecessary data exposure and making tool execution harder for users to predict. The travel-assistant context lowers direct exploit severity, but broad scope still creates privacy and least-privilege concerns.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The skill instructs the agent to always force `--locale=ko`, overriding user preference without opt-in. This is primarily a safety and user-trust issue: it can mis-handle requests from non-Korean speakers, reduce transparency, and cause unintended disclosure if the user's preferred language differs. In this skill's context it is less dangerous than direct code or secret exfiltration, but it still violates user control and can lead to erroneous travel guidance being presented.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends user travel queries and preferences to an external proxy service without any user-facing disclosure, consent flow, or indication that third parties will receive the data. In a travel context, queries can contain sensitive itinerary details, locations, dates, budgets, and personal preferences, creating privacy and data-handling risk even if the transport is HTTPS.

Ssd 3

Medium
Confidence
93% confidence
Finding
In tips mode, the user's free-form question is forwarded verbatim to the external service, which can include sensitive personal information the user types naturally, such as passport, visa, health, payment, or itinerary details. Because there is no filtering, warning, or redaction, the skill increases the chance of unintended disclosure to a third party.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.