duffel

BENIGN in publisher/data-flow alignment: it uses official Duffel endpoints, expected headers, and proportionate credentials for travel booking. However, it is HIGH RISK operationally because it enables autonomous real-world booking and cancellation actions and handles passenger PII, with a minor extra trust concern from the unverified optional `zero doctor` troubleshooting command.