航班延误赔偿助手

Security checks across malware telemetry and agentic risk

Overview

This skill coherently checks flight delays through a disclosed cloud proxy and does not show hidden persistence, credential harvesting, or destructive behavior.

Install only if you are comfortable sending flight numbers and dates through the publisher's Tencent SCF proxy to the flight-data provider. Avoid entering unnecessary personal details, and treat itinerary queries as potentially sensitive.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The check command sends user-supplied flight number and date to a remote proxy service without any explicit disclosure or consent at the call site. While flight data is not highly sensitive in most cases, travel itinerary details can still reveal personal movement patterns or associations, and the extra proxy hop increases data exposure beyond the apparent local tool behavior.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The claim-generation path also performs a remote lookup using user flight details without clearly warning the user that their query is sent to an external proxy. In a claims context, users may reasonably expect the tool to generate a template locally, so the hidden network transmission creates an avoidable privacy and transparency risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal