公交地铁线路查询

Security checks across malware telemetry and agentic risk

Overview

This transit-route skill does what it says: it sends route search details to a disclosed proxy/map service and formats public transit results.

Install only if you are comfortable sharing travel search details such as origin, destination, and city with the skill publisher’s proxy service and the underlying map provider. Avoid entering highly sensitive home, workplace, or personal itinerary details if that privacy tradeoff is unacceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The function sends user-supplied origin, destination, and city data to a hard-coded third-party proxy endpoint, not directly to the map provider, without any disclosure or consent mechanism. Because location queries can reveal sensitive travel intent or personal whereabouts, routing them through an opaque proxy increases privacy and data-handling risk beyond what a user would reasonably expect.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal