Back to skill

Security audit

A simple Flight Tracker

Security checks across malware telemetry and agentic risk

Overview

This flight-tracking skill matches its purpose, but its optional schedule lookup can expose an AviationStack API key over an unencrypted connection.

Live OpenSky tracking appears coherent for normal flight queries. Review before installing if you plan to use AviationStack: avoid setting AVIATIONSTACK_API_KEY unless the endpoint is changed to HTTPS, and rotate the key if it has already been used with this version.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The script sends the AviationStack API key and route query parameters to the API over plain HTTP, which exposes them to interception or modification by any attacker on the network path. Because the key is placed directly in the URL query string, it is additionally more likely to be logged by proxies, gateways, or client tooling, increasing credential exposure risk.

External Transmission

Medium
Category
Data Exfiltration
Content
def get_aviationstack_schedule(origin, dest, api_key, date=None):
    """Query AviationStack API for flight schedules (requires API key)"""
    base_url = "http://api.aviationstack.com/v1/flights"
    
    params = {
        'access_key': api_key,
Confidence
98% confidence
Finding
http://api.aviationstack.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.