Back to skill

Security audit

出游攻略助手

Security checks across malware telemetry and agentic risk

Overview

This is a travel-planning instruction skill that uses public web lookups for current trip details and does not install code or request sensitive system access.

Safe to install if you are comfortable sharing trip details such as destination, dates, departure city, group size, and budget with the assistant and with external search/booking sources. Treat generated prices, schedules, visa notes, and opening hours as planning references and verify them with official providers before booking.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file embeds static budget ranges for flights, hotels, meals, and other travel costs, which conflicts with the skill’s stated requirement that key price information must come from live web queries with cited sources. If the agent relies on this template instead of current data, it can generate misleading budgets, omit source attribution, and cause users to make poor financial decisions based on stale or inaccurate information.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.