航班动态追踪

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a straightforward VariFlight/API integration, with token and network use that fits its stated purpose.

Install only if you expect the skill to contact a VariFlight or proxy API and to use a dedicated, least-privilege API token. Review any manifest or setup notes for the exact env var and endpoint before use.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill explicitly describes reading an authentication token from environment variables and sending user query parameters to an external proxy/API, which indicates effective use of env and network capabilities despite no declared permissions. This is dangerous because undeclared capabilities reduce transparency and reviewability, making it harder for operators and users to understand what data leaves the system and what secrets the skill can access.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal