出国游全球通版

Security checks across malware telemetry and agentic risk

Overview

This skill is a travel-report generator that creates local Word documents and does not show hidden data access, credential use, persistence, or destructive behavior.

Install only if you want a local Word-report generator for travel guidance. Do not rely on it as authoritative for visas, laws, safety, medical, or consular decisions; verify those details with official government or embassy sources before acting.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The skill advertises extremely broad natural-language triggers such as asking about a country, visa, or safety, which can cause the agent to invoke the skill from generic conversation without clear user intent boundaries. In an agent ecosystem, this increases the chance of unintended execution, surprise network access, and generation of authoritative-seeming travel or consular guidance when the user may have only been asking a casual question.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README states that supplemental data is fetched from the web on every query and is 'always up to date,' but it does not give a prominent operational warning that using the skill causes live network access. This can mislead users and host agents about privacy, data flow, reliability, and the risk of pulling untrusted external content into generated documents.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal