ClawHub

Flight Tracker

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but users should understand that its default AviationStack setup sends the API key and flight lookups over HTTP.

Install only if you are comfortable sending an AviationStack API key and flight queries to AviationStack, including over unencrypted HTTP on the free tier. Prefer an HTTPS-capable paid plan or another provider for sensitive use, use a limited-purpose key, avoid public or untrusted networks, and avoid permanently storing the key in shell profiles on shared machines.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Tainted flow: 'params' from os.environ.get (line 36, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
}
    
    try:
        response = requests.get(base_url, params=params, timeout=10)
        response.raise_for_status()
        return response.json()
    except requests.exceptions.RequestException as e:
Confidence
95% confidence
Finding
response = requests.get(base_url, params=params, timeout=10)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The setup instructs users to obtain an API key and send flight queries to a third-party provider, but it does not clearly warn that AviationStack free tier uses non-HTTPS transport. That means flight queries and the API key may be transmitted in cleartext, enabling interception or tampering by a network attacker and exposing user activity to a third party without adequate notice.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation instructs users to persist an API key in shell profile files, which can lead to long-lived credential exposure through dotfile backups, shared accounts, screenshots, support bundles, or accidental commits if home-directory config is synchronized. While this is common setup guidance, the lack of any warning about secret handling or safer alternatives increases the chance that users will store the credential insecurely and reuse the pattern elsewhere.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script uses `http://api.aviationstack.com/v1/flights`, causing the API key to be sent over an unencrypted connection with no warning to the user. This enables credential theft and response tampering via man-in-the-middle attacks, especially on shared, public, or enterprise networks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal