Security audit

Airbnb Full

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed StayingAPI integration for Airbnb listing/search workflows, with expected use of one API key and outbound API calls.

Install only if you intend to use StayingAPI for Airbnb data. Calls may consume credits and send listing URLs, addresses, search criteria, and webhook destinations to StayingAPI; review webhook use carefully because it can cause future job or cache events to be delivered to the URL you provide.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 96% confidence
Finding: The skill explicitly requires an API key in environment variables and is designed to make outbound network requests, yet it declares no permissions model for those capabilities. This creates a governance gap: users and platforms are not clearly informed that the skill can access secrets and transmit data to a third-party service, increasing the risk of unintended credential use or data egress.

Env Variable Harvesting

High

Category: Data Exfiltration
Content: def _key(): k = os.environ.get("STAYINGAPI_KEY", "").strip() if not k: raise RuntimeError( "STAYINGAPI_KEY environment variable is not set. "
Confidence: 70% confidence
Finding: os.environ.get("STAYINGAPI_KEY

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal