Korea Domestic Flights

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Korean domestic flight-search skill, but it needs review because its main scraper code is an unpinned local dependency outside the reviewed package.

Install or use this only if you trust and have verified the local tmp/Scraping-flight-information scraper clone, since searches execute code from that directory. Expect local browser-based web searches and a price-alert JSON file containing routes, dates, target prices, and optional notes/templates; schedule recurring checks only intentionally and remove old rules when no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill exposes shell, file read, and file write capabilities through multiple documented script invocations and local storage features, but the manifest shown in SKILL.md does not declare corresponding permissions. That mismatch is dangerous because callers and reviewers may underestimate what the skill can do, especially since it writes alert rules, may read local references/projects, and executes Python scripts against a local clone.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal