Security audit

Expedia Travel

Security checks across malware telemetry and agentic risk

Overview

This Expedia travel plugin does what it says: searches travel inventory, uses email-based setup, and stores a local token for future searches.

Install only if you are comfortable sharing travel search details and an email address with Expedia's adapter service. The plugin saves a local credential so future searches and re-authentication work without re-entering your email; remove ~/.oc/credentials/eg-travel.json if you want to clear that local access.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The tool passes credential-derived `contact` and `contact_method` into error handling, which can disclose user-associated personal data to an external adapter endpoint or downstream logging path during failures. Even if intended for support or diagnostics, sending this data without clear minimization or user-visible disclosure increases privacy and data-handling risk, especially because error paths are often broadly logged and less scrutinized.

VirusTotal

59/59 vendors flagged this plugin as clean.

View on VirusTotal