Airbnb Search

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Airbnb search helper that sends user-directed search details to Airbnb and does not show hidden access, persistence, or destructive behavior.

Reasonable to install for read-only Airbnb searches. Use it only for travel searches you are comfortable sending to Airbnb, do not provide Airbnb login credentials or cookies, and prefer trusted or pinned Python package installs for repeatable workflows.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill performs outbound network access to Airbnb but does not declare any permissions, creating a transparency and policy-enforcement gap. In an agent environment, undeclared network capability can bypass user expectations, prevent proper consent/review, and make it easier for a skill to exfiltrate data or contact unintended endpoints if the implementation changes.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The function transmits user-provided search terms and optional travel details directly to Airbnb's servers without any built-in disclosure, consent flow, or minimization. In an agent skill context, users may reasonably believe they are only interacting with the local assistant, so silent third-party transmission of location and date data creates a privacy risk and can expose sensitive travel intent.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal