Flight Pricer

Security checks across malware telemetry and agentic risk

Overview

The skill is a straightforward flight-price CLI that uses a Duffel API key for its advertised purpose, with manageable credential-storage and dependency hygiene caveats.

Install this in a virtual environment, use a Duffel key with the least privileges available, and check permissions on ~/.config/flight-pricer/config.yaml because the key is stored on disk. Consider pinning dependencies or installing from a controlled lockfile if you need stronger supply-chain reproducibility.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (7)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation explicitly instructs users to store a long-lived Duffel API key in a plaintext local config file under the home directory, but does not warn about the security implications of doing so. This can lead to credential exposure through weak filesystem permissions, backups, shared machines, shell history during setup, or accidental inclusion in support bundles and dotfile sync tools.

Unpinned Dependencies

Low

Category: Supply Chain
Content: click requests pyyaml tabulate
Confidence: 94% confidence
Finding: click

Unpinned Dependencies

Low

Category: Supply Chain
Content: click requests pyyaml tabulate
Confidence: 99% confidence
Finding: requests

Unpinned Dependencies

Low

Category: Supply Chain
Content: click requests pyyaml tabulate
Confidence: 99% confidence
Finding: pyyaml

Unpinned Dependencies

Low

Category: Supply Chain
Content: click requests pyyaml tabulate
Confidence: 92% confidence
Finding: tabulate

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High

Category: Supply Chain
Confidence: 98% confidence
Finding: requests

Known Vulnerable Dependency: pyyaml — 8 advisory(ies): CVE-2019-20477 (Deserialization of Untrusted Data in PyYAML); CVE-2020-1747 (Improper Input Validation in PyYAML); CVE-2020-14343 (Improper Input Validation in PyYAML) +5 more

Critical

Category: Supply Chain
Confidence: 99% confidence
Finding: pyyaml

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal