ClawHub

A simple Flight Tracker

Security checks across malware telemetry and agentic risk

Overview

This flight-tracking skill does what it claims, but its optional schedule lookup can expose an AviationStack API key over an unencrypted connection.

Review this skill before installing if you plan to use AviationStack. Live OpenSky tracking appears purpose-aligned, but do not set AVIATIONSTACK_API_KEY unless the schedule endpoint is changed to HTTPS; rotate the key if it has already been used through this version.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script places the API key and user query parameters into a request sent over plain HTTP, not HTTPS. This exposes the credential and request contents to interception or modification by any network attacker between the client and the API endpoint.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The script sends user-supplied query values such as callsigns or ICAO identifiers to the external OpenSky Network API without any explicit user-facing disclosure. While the transmitted data is not highly sensitive in the normal flight-tracking context, this still creates a privacy and transparency issue because user queries leave the host and are shared with a third party.

External Transmission

Medium
Category
Data Exfiltration
Content
def get_aviationstack_schedule(origin, dest, api_key, date=None):
    """Query AviationStack API for flight schedules (requires API key)"""
    base_url = "http://api.aviationstack.com/v1/flights"
    
    params = {
        'access_key': api_key,
Confidence
99% confidence
Finding
http://api.aviationstack.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal