HiFleet租船AI

Security checks across malware telemetry and agentic risk

Overview

This shipping assistant appears legitimate, but it asks to sync and index personal business email without enough limits or deletion/privacy details.

Install only if you can restrict mailbox access to a dedicated account, folder, or app-specific credential. Before using it on real business email, confirm where the local memory and SQLite database are stored, how to delete them, how to stop sync, and what data is sent to HiFleet's cloud API.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly processes personal email content locally and also sends queries to a cloud API, but the description does not clearly warn users about privacy implications, data collection boundaries, retention, or what data may leave the device. In a skill handling potentially sensitive commercial and personal communications, this omission can lead to uninformed consent and accidental exposure of confidential shipping, contact, or account data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal