Seats Aero

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward seats.aero flight-award search helper, with the main caution that it asks for an API key and tells the agent to keep it in chat context.

Install only if you want an agent to query seats.aero for award availability. Use a revocable seats.aero API key, avoid sharing it in screenshots or logs, and rotate it if it may have been exposed in chat history.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill instructs the agent to collect and retain a third-party API key in conversation context without warning the user about how the credential will be stored, reused, or exposed to other tools or later turns. Persisting secrets in broad conversational state increases the risk of unintended disclosure through logs, memory reuse, prompt leakage, debugging output, or cross-task access.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal