Variflight Global Flight Fares

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Variflight fare lookup helper that sends route and date inputs to Variflight and does not show hidden persistence, credential access, or destructive behavior.

Before installing, understand that using the skill sends the searched departure code, arrival code, and date to Variflight's ticket API. It does not need an API key and does not appear to read local private files or store data persistently.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 93% confidence
Finding: The overview/workflow describes collecting departure, arrival, and date, but does not clearly warn users that these inputs will be transmitted to an external API. This is primarily a transparency and privacy issue: even low-sensitivity travel search data should not be silently sent off-platform without disclosure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal