flight-time
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface through the ingestion of external data.
- Ingestion points: The script
scripts/flight_time.pyfetches airport metadata, including the airport name, from the NOAA Aviation Weather Center API. - Boundary markers: The airport names are interpolated directly into the text output provided to the agent without delimiters or instructions to disregard embedded commands.
- Capability inventory: The skill is restricted to mathematical calculations and network requests to known NOAA domains; it does not perform arbitrary command execution or file writes.
- Sanitization: Content retrieved from the API is stripped of whitespace but not sanitized for prompt injection patterns before being presented to the agent.
- [EXTERNAL_DOWNLOADS]: Fetches airport coordinates and winds aloft data from the official NOAA Aviation Weather Center API (
aviationweather.gov).
Audit Metadata