skiplagged-travel-search
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill processes untrusted external data from the Skiplagged MCP server, which could potentially contain malicious instructions intended to influence the agent behavior.
- Ingestion points: Data enters the agent context through results returned by tools such as
sk_flights_search,sk_hotels_search, andsk_destinations_anywhere(documented in SKILL.md and agents/openai.yaml). - Boundary markers: Absent. There are no instructions to use delimiters or warnings to ignore embedded instructions in the tool outputs.
- Capability inventory: The skill is limited to tool-calling via the MCP protocol. No file-system access, subprocess execution, or direct network requests are performed by the skill's own logic.
- Sanitization: Absent. The agent is directed to summarize tool outputs directly in traveler-centric language without filtering or escaping content.
- Data Exposure & Exfiltration (SAFE): The skill does not access sensitive local files (e.g., SSH keys, env files) or include hardcoded credentials. It communicates only with the intended service endpoint.
- Unverifiable Dependencies & Remote Code Execution (SAFE): The skill references a remote MCP server at
https://mcp.skiplagged.com/mcp. While this is an external dependency not on the pre-approved list, it is used for its primary stated purpose and does not involve the execution of arbitrary scripts or untrusted packages.
Audit Metadata