Is copey02/copey-flight-tracker safe?

https://github.com/openclaw/skills/tree/main/skills/copey02/copey-flight-tracker

85
SAFE

The copey-flight-tracker skill is a straightforward flight status tool that invokes a Python script against the AviationStack public API. The skill code is clean — no prompt injection markers, no sensitive file reads, no git hooks or autorun mechanisms, and the install was confined to expected files and network connections. The primary concerns are operational rather than malicious: the AviationStack free tier requires HTTP (not HTTPS), which exposes the user's API key as a plaintext URL query parameter on every request, and API responses are rendered to agent output without sanitization, creating a minor MITM-based injection surface.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 76/100 · 25%
Code Execution 82/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (5)

MEDIUM API key transmitted in plaintext over HTTP -15

The AviationStack free tier does not support HTTPS. The AVIATIONSTACK_API_KEY is appended as a URL query parameter (?access_key=...) in the HTTP GET request to api.aviationstack.com. Any passive network observer, router, or proxy on the path between the agent host and the API server can capture this key. This is documented behavior but represents a material credential exposure risk.

LOW Unvalidated third-party API response rendered to agent context -10

The display_flight() function prints API response fields (airline name, airport names, status strings, etc.) directly to stdout without sanitization. An adversary who can influence the API response — via DNS hijacking, MITM on the HTTP connection, or compromise of the AviationStack service — could inject prompt-like instructions into the agent's context window.

LOW Executable Python script with external package dependency -18

The skill bundles an executable Python script that requires the requests library to be installed (pip3 install requests). While the script is benign, it represents executable code that runs in the agent's environment and makes outbound network connections. There are no autorun hooks, but the agent is instructed to invoke the script on user request.

LOW External third-party API dependency introduces supply chain surface -9

The skill depends entirely on the availability and integrity of aviationstack.com. If the API service changes ownership, is compromised, or is used to return crafted responses, the skill becomes a vector for injecting content. The HTTP-only constraint also means there is no certificate validation protecting response authenticity.

INFO Sensitive file access events observed — attributed to audit framework -8

Inotify and auditd logs record open/access of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials. Timestamp analysis places the first batch (1771928030) at pre-install audit setup and the second batch (1771928057) at post-install canary verification. No skill code path reads these files. Canary integrity check confirms file contents were not modified.