Lynx Skill

Security checks across malware telemetry and agentic risk

Overview

This Lynx travel CLI is mostly purpose-aligned, but it needs Review because debug mode can silently leave sensitive reservation data in world-readable temporary files.

Install only if you understand that this tool can read and modify live Lynx reservation documents and upload selected local files to Lynx. Avoid enabling LYNX_DEBUG unless you can protect and clean /tmp output, do not paste raw LYNX_* values into logs or support chats, and review upload/save commands carefully before running them against production records.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (11)

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: When LYNX_DEBUG is set, the client writes raw itinerary responses to predictable files under /tmp with mode 0644. Those responses likely contain sensitive travel and customer data, and /tmp is commonly accessible by other local users or processes, making unintended disclosure realistic.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: In debug mode, raw document-retrieval responses are written to /tmp using world-readable permissions and partially predictable names. File-document responses may include document metadata or content references tied to customer files, so this creates a local data exposure channel outside the skill's normal API behavior.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The document explicitly plans a CLI workflow that uploads a local file path to the remote Lynx service, but it does not warn users that selecting a local file will transmit its contents off-host. In a travel-agency skill handling potentially sensitive itineraries and customer documents, this omission can lead to unintentional exfiltration of personal or regulated data.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The file documents use of `LYNX_USERNAME`, `LYNX_PASSWORD`, `LYNX_COMPANY_CODE`, and bearer tokens, but provides no guidance on safe handling, storage, masking, or logging of these secrets. In this skill context, those credentials directly enable access to reservation records and document operations, so poor secret hygiene could expose customer data or permit unauthorized actions.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The description understates the skill's ability to upload arbitrary local files and create or modify remote records in a live travel system. In an agent setting, this can lead users or higher-level orchestration to invoke write-capable commands without realizing they can exfiltrate local files or alter customer documents in production.

Missing User Warnings

Low

Confidence: 79% confidence
Finding: The troubleshooting guidance later encourages `env | grep LYNX`, which can expose usernames, company codes, and especially passwords in terminal history, logs, screenshots, or agent output. Because the skill relies on environment variables for authentication, missing warnings about safe handling of those values increases the likelihood of accidental credential disclosure.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code silently writes raw itinerary data to /tmp whenever LYNX_DEBUG is present, without any user-facing disclosure or consent. Because this skill handles travel-agency records, the hidden persistence of sensitive response data increases the risk of privacy leakage, forensic residue, and accidental collection by other tools.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The client also silently persists raw file-document responses to /tmp in debug mode, again without warning. In the context of a reservations/document-management CLI, these responses can expose customer-linked document details beyond user expectations, making the undisclosed behavior security-relevant rather than harmless debugging.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: This command reads an arbitrary local file from disk and uploads its contents to a remote Lynx endpoint after authenticating, but provides no explicit confirmation, warning, or disclosure to the user at the point of exfiltration. In a CLI skill that may be invoked by an agent on a user's behalf, this increases the risk of unintended sensitive-data transmission if the file path is influenced by ambiguous prompts, automation, or user misunderstanding.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: This test logs the fully parsed itinerary object, and the embedded fixture contains real-looking personal and booking data including passenger names, travel dates, booking references, locations, and even a mobile number in remarks. Test logs are often retained in CI systems and shared during debugging, so this creates a real privacy and data-leakage risk even though it is in test code.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: This test pretty-prints full file-search results containing personal travel records, including names, file references, statuses, travel dates, and client identifiers. In the Lynx travel-reservations context, these records are especially sensitive because they map directly to customer bookings and can expose itinerary intelligence if logs are accessed or exported.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal