HongKong

Security checks across malware telemetry and agentic risk

Overview

This is a Hong Kong travel-planning skill that stores optional trip notes locally and shows no code, credential access, network use, or hidden privileged behavior.

Install this if you want Hong Kong travel help and are comfortable with local trip notes in ~/hongkong/memory.md. Decline the broad 'jump in whenever Hong Kong comes up' preference if you only want the skill used when you explicitly ask, and avoid saving sensitive personal details in the trip memory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The activation condition is broad and context-driven: reading the skill whenever `~/hongkong/` is missing or empty can cause the agent to load and follow this travel behavior outside a clearly user-requested Hong Kong planning task. That creates scope creep and unwanted persistence of behavior, especially because the file then instructs the agent to ask leading questions and adopt a specific persona.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The instruction to ask 'Want me to jump in whenever Hong Kong comes up?' and save that to main memory creates a persistent, overly broad trigger for future intervention. This can cause the skill to activate in unrelated conversations that merely mention Hong Kong, leading to unsolicited behavior and memory-based cross-context interference.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal