Security audit

Travel planner case

Security checks across malware telemetry and agentic risk

Overview

This travel-planning skill is disclosed and purpose-aligned, but its helper scripts appear to produce mock/structured data rather than real live searches or a finished PPT by themselves.

Install only if you are comfortable with the agent performing web searches for your trip details and creating local output files. Treat generated recommendations as draft content unless the agent shows actual sources, and do not rely on the bundled helper scripts alone for verified live travel research or a completed PPT.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 71% confidence
Finding: The skill documentation indicates capabilities that can read and write files, yet no permissions are declared. That creates a trust and enforcement gap: a reviewer or runtime may underestimate what the skill can access or modify, increasing the risk of unintended file access, overwriting local content, or mishandling generated artifacts such as PPT files.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 91% confidence
Finding: The skill claims to perform live multi-platform search, ranking, image retrieval, and PPT generation, but the analyzed behavior reportedly only returns query strings, uses hardcoded sample data, leaves images empty, and does not generate a real PPT. This is a security-relevant integrity issue because users may trust fabricated or incomplete outputs as externally validated travel advice, and downstream automations may act on nonexistent files or misleading data provenance.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The script materially overstates its capabilities: it does not perform any real multi-platform search, image retrieval, or PPT generation despite the manifest and code comments claiming it does. This is a security-relevant integrity issue because downstream agents or users may trust fabricated or incomplete outputs as if they were externally sourced research, leading to unsafe automation decisions and deceptive behavior.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The docstrings and comments describe genuine platform search and raw-result analysis, but the implementation uses mock queries and hardcoded attractions. In an agent skill, this discrepancy can mislead orchestration layers, reviewers, or users into treating synthetic data as verified external intelligence, which undermines trust boundaries and can propagate false content into travel plans or generated presentations.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal