Back to skill

Security audit

Scavio Google Flights

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward flight-search skill that uses a Scavio API key and sends trip search details to Scavio, with no executable code or persistence.

Install only if you are comfortable sending flight-search details such as airports, travel dates, passenger counts, cabin preferences, and airline filters to Scavio's API, and use your own SCAVIO_API_KEY. Do not paste unnecessary personal or sensitive information into flight searches.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Low
Confidence
90% confidence
Finding
The skill sends itinerary details such as origin, destination, and travel dates to Scavio's external API, but the description does not clearly warn users that their trip data will leave the local agent environment. This is a real transparency/privacy issue, even though external transmission is expected for a flight-search integration.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
SKILL.md:35