旅行eSIM比价助手

Security checks across malware telemetry and agentic risk

Overview

This travel eSIM comparison skill appears to use local static data only, with no evidence of network calls, data collection, persistence, or destructive behavior.

Reasonable to install if you want offline travel eSIM and WiFi price guidance, but treat prices as approximate because the tool uses embedded data despite implying real-time coverage. The publisher should remove the unused PROXY_TOKEN declaration or clearly explain it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill asserts that it makes no external requests and collects no user data, yet the tool configuration includes a proxy token for the network-enabled tools. That contradiction is dangerous because it can mislead users into sharing travel details under a false assumption of purely local processing, undermining transparency and potentially exposing destination or itinerary-related data to external services.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal