Hna 666 Flight Checker

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed flight-availability checker that runs browser automation for Hainan Airlines searches, with setup and site-automation cautions but no evidence of theft, persistence, destructive behavior, or hidden data handling.

Install only if you are comfortable with an automated browser running local Python code and querying Hainan Airlines repeatedly. Verify the local Playwright environment path is trusted, and avoid using the alternate CAPTCHA-continuation script unless you have explicit permission to automate the site.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill explicitly instructs the agent to run a local Python script from a fixed filesystem path, but it does not warn the user that activating the skill causes local code execution. This creates a transparency and trust boundary problem: even if the script is intended for legitimate flight lookup, users may unknowingly trigger arbitrary local code with the agent's permissions, and the long timeout plus debug flag slightly increase exposure if the script is modified or abused.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal