military-flights

Security checks across malware telemetry and agentic risk

Overview

The skill appears travel-related, but it may automatically install a global tool and persist raw travel queries locally without clear user control.

Review this before installing if you may enter personal travel, visa, identity, or booking details. Approve any npm/global tool installation yourself, check what package is being installed, and look for or disable any local execution log that stores raw prompts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to install a global npm package and execute an external CLI automatically if it is missing. That causes system modification and code execution from an external package repository without explicit user approval, which can expose the host to supply-chain risk or unexpected environment changes.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The runbook explicitly logs the raw user query and appends execution logs to a local file, but provides no notice, consent flow, retention policy, or minimization guidance. In a travel-booking skill, user queries may contain personal and sensitive data such as names, travel dates, locations, visa details, military/veteran status, and booking preferences, so persistent storage increases privacy, compliance, and accidental disclosure risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal