amex-travel

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt tells agents to ask the user for the Amex 2FA code and then write it with a literal shell command (e.g., echo "123456" > /tmp/amex-2fa-code.txt), which requires the LLM to output secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's scripts (scripts/search_flights.py) autonomously navigate and scrape public Amex travel pages (https://www.americanexpress.com/en-us/travel, amextravel.com/travel.americanexpress.com and related partner domains), extracting window.appData and DOM elements (e.g., data-testid="hotel-offer-card") so the agent directly ingests untrusted third‑party webpage content (including TripAdvisor/review text) that is parsed and used to drive decisions and automated actions like IAP detection, pricing comparisons, login/2FA handling, and form submission.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill's setup and Dockerfile explicitly reference and instruct pulling/running remote container images (ghcr.io/borski/amex-travel:latest and FROM ghcr.io/borski/patchright-docker:latest), which would fetch and execute remote code at runtime if the Docker path is used.