amex-travel
Warn
Audited by Gen Agent Trust Hub on Apr 30, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/search_flights.pyutilizes theAMEX_2FA_COMMANDenvironment variable to execute user-defined shell commands viasubprocess.run(shell=True). This mechanism is designed for 2FA automation but allows for arbitrary command execution in the host environment. - [CREDENTIALS_UNSAFE]: The skill requires users to provide their American Express credentials through environment variables (
AMEX_USERNAME,AMEX_PASSWORD). Additionally, it persists sensitive session information by saving browser cookies to a local file (cookies.json) in the user's profile directory. - [EXTERNAL_DOWNLOADS]: The skill depends on
patchright, which is identified as an 'undetected Playwright fork'. It also references a custom Docker imageghcr.io/borski/amex-travel. These dependencies on non-standard or vendor-specific forks represent a potential supply chain risk. - [PROMPT_INJECTION]: The hotel search functionality scrapes hotel names, amenities, and benefit descriptions directly from the DOM using
innerTextand regex patterns. This external, untrusted content is then presented to the agent without sanitization, creating a surface for indirect prompt injection. - Ingestion points: DOM scraping in
scripts/search_flights.py(specificallyextract_app_data_hotelsand_parse_offer_card_text). - Boundary markers: Absent. The scraped data is converted into markdown tables for agent consumption without delimiters.
- Capability inventory: The skill has the ability to execute shell commands (
subprocess.run) and perform broad network operations through the automated browser. - Sanitization: None. The script performs raw text extraction and regex-based parsing from the browser context.
Audit Metadata