american-airlines
Warn
Audited by Gen Agent Trust Hub on Apr 30, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/check_balance.pyusessubprocess.run(hook_cmd, shell=True)to execute a command provided through theAA_2FA_COMMANDenvironment variable. While intended as a feature for automating 2FA code retrieval, the use ofshell=Trueon an externally-provided string allows for arbitrary shell command execution. - [CREDENTIALS_UNSAFE]: The skill implements a persistence mechanism by saving browser profiles, including session cookies, to
~/.aa-browser-profiles/. This allows future runs to bypass 2FA but stores sensitive authentication tokens in a predictable location on the file system. - [EXTERNAL_DOWNLOADS]: The skill requires the installation of
patchright, an external library used for bypassing bot detection, and references Docker images hosted onghcr.io/borski/. These are vendor-specific resources required for the skill's primary function. - [DATA_EXPOSURE]: The script saves debug screenshots to
/tmp/aa-debug.pngand reads 2FA codes from/tmp/aa-2fa-code.txt. In shared environments, sensitive account information or 2FA codes in `/tmp/ could be accessible to other local users. - [INDIRECT_PROMPT_INJECTION]: The skill has a surface for indirect prompt injection as it processes and extracts text from external web pages (AA.com).
- Ingestion points: Data is extracted from the American Airlines account summary page in
scripts/check_balance.pyusingpage.evaluate(). - Boundary markers: None. The script directly parses the page content.
- Capability inventory: The script has
subprocess.runcapabilities (for 2FA hooks) and file system access (for profiles and temporary files). - Sanitization: Extracted data is validated against regex patterns or converted to integers, which provides some mitigation against malformed data.
Audit Metadata