Security audit

Aerobase Travel

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Aerobase travel API guide for scoring and searching flights, with expected sharing of itinerary details to Aerobase.

Install only if you trust Aerobase with the flight routes, dates, times, and related travel details you ask it to analyze. Use a dedicated API key, avoid submitting highly sensitive itineraries unless appropriate, and revoke the key when you no longer need the skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs use of an external API key and sends user travel data to a third-party service, but it does not warn users that their itinerary details may be transmitted off-platform. This creates a real privacy and consent issue because travel dates, routes, and timing can be sensitive personal information, and users may not expect that data to be shared externally.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal