ClawHub

Aviasales Flight Search

Security checks across malware telemetry and agentic risk

Overview

This flight-search skill matches its stated purpose, but users should know it sends search details to Travelpayouts/Aviasales and uses an API token.

Install only if you are comfortable providing a Travelpayouts API token and sending flight search details such as cities, IATA codes, dates, and route preferences to Travelpayouts/Aviasales. Use a dedicated token where possible, avoid placing the token in chat or logs, and be aware the script writes a low-sensitivity airline-name cache in /tmp for 24 hours.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation indicates use of environment variables, network access to third-party APIs, and file-writing/caching behavior, yet no permissions are declared. This creates a transparency and governance gap: users and platform controls may not realize the skill can access secrets, transmit itinerary data externally, and write local cache files.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad enough that the skill may activate on generic travel-related requests, causing unintended third-party queries. While this is not code execution, it can lead to privacy leakage of user itinerary details and incorrect tool selection.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description does not warn users that origin, destination, dates, and related travel preferences will be sent to Travelpayouts/Aviasales and autocomplete services. This is a real privacy disclosure issue because itinerary data can be sensitive and users are not informed before transmission.

External Transmission

Medium
Category
Data Exfiltration
Content
| Method | URL | Purpose |
|--------|-----|---------|
| GET | `https://api.travelpayouts.com/aviasales/v3/prices_for_dates` | Prices for specific dates |
| GET | `https://api.travelpayouts.com/aviasales/v3/get_latest_prices` | Latest found prices |
| GET | `https://api.travelpayouts.com/aviasales/v3/grouped_prices` | Min prices by month/day |
| GET | `https://api.travelpayouts.com/v1/city-directions` | Popular destinations |
Confidence
87% confidence
Finding
https://api.travelpayouts.com/

External Transmission

Medium
Category
Data Exfiltration
Content
| Method | URL | Purpose |
|--------|-----|---------|
| GET | `https://api.travelpayouts.com/aviasales/v3/prices_for_dates` | Prices for specific dates |
| GET | `https://api.travelpayouts.com/aviasales/v3/get_latest_prices` | Latest found prices |
| GET | `https://api.travelpayouts.com/aviasales/v3/grouped_prices` | Min prices by month/day |
| GET | `https://api.travelpayouts.com/v1/city-directions` | Popular destinations |
| GET | `https://autocomplete.travelpayouts.com/places2` | IATA code autocomplete |
Confidence
87% confidence
Finding
https://api.travelpayouts.com/

External Transmission

Medium
Category
Data Exfiltration
Content
|--------|-----|---------|
| GET | `https://api.travelpayouts.com/aviasales/v3/prices_for_dates` | Prices for specific dates |
| GET | `https://api.travelpayouts.com/aviasales/v3/get_latest_prices` | Latest found prices |
| GET | `https://api.travelpayouts.com/aviasales/v3/grouped_prices` | Min prices by month/day |
| GET | `https://api.travelpayouts.com/v1/city-directions` | Popular destinations |
| GET | `https://autocomplete.travelpayouts.com/places2` | IATA code autocomplete |
Confidence
86% confidence
Finding
https://api.travelpayouts.com/

External Transmission

Medium
Category
Data Exfiltration
Content
| GET | `https://api.travelpayouts.com/aviasales/v3/prices_for_dates` | Prices for specific dates |
| GET | `https://api.travelpayouts.com/aviasales/v3/get_latest_prices` | Latest found prices |
| GET | `https://api.travelpayouts.com/aviasales/v3/grouped_prices` | Min prices by month/day |
| GET | `https://api.travelpayouts.com/v1/city-directions` | Popular destinations |
| GET | `https://autocomplete.travelpayouts.com/places2` | IATA code autocomplete |

## Common IATA Codes
Confidence
83% confidence
Finding
https://api.travelpayouts.com/

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal