flights

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward flight-search helper that sends flight query details to one disclosed third-party API.

Install if you are comfortable sharing flight search details with the 51smart API. Avoid including unrelated personal information in travel queries, and verify airports, dates, baggage, taxes, and prices before relying on the results.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger guidance is explicitly broad: it says to trigger immediately for many common flight- or travel-related utterances, including loosely phrased intent like wanting to go somewhere and mentioning flying. That can cause unintended invocation on ambiguous conversation, which may lead to unnecessary external API calls and inadvertent sharing of user travel details with a third-party service without sufficiently clear user intent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal