marathon-trip

Security checks across malware telemetry and agentic risk

Overview

This travel skill is mostly a real-time flight-search helper, but it tells the agent to install a global third-party CLI automatically before use.

Review before installing. Use it only if you trust the external `@fly-ai/flyai-cli` package and are comfortable sending route, date, and preference data to that provider. Prefer manually verifying or installing the CLI in a sandbox/local environment, and require approval before any package installation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger phrase `plan a trip` is overly broad and can activate this skill for generic travel requests unrelated to marathon travel. In context, accidental activation is more dangerous because the skill then mandates external CLI execution and even installation, potentially causing unneeded tool use or system changes for ordinary user queries.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The description advertises many travel capabilities beyond the implemented marathon-flight flow, which broadens perceived scope and increases the chance of inappropriate activation. In this skill, that matters because activation leads to prescriptive CLI use and possible package installation, so ambiguous scope can trigger unsafe actions outside the intended domain.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill explicitly instructs the agent to install and run an external CLI if it is missing, without requiring user confirmation or warning about system modification. That creates a direct supply-chain and unauthorized-change risk: a normal information request can cause package installation, execution of third-party code, and exposure of environment/network resources.

Ssd 4

Medium

Confidence: 98% confidence
Finding: The environment-check workflow normalizes checking for a tool, installing it globally, and retrying before servicing the user request. This is dangerous because it conditions the agent to perform privileged or persistent system modifications as a default recovery path, expanding attack surface and creating opportunities for supply-chain compromise or policy bypass.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal