Security audit

medical-tourism

Security checks across malware telemetry and agentic risk

Overview

This travel-booking skill is not clearly malicious, but it tells agents to install and run a persistent external CLI without clear user approval.

Review before installing. Use this only if you are comfortable letting your agent install and run the external flyai CLI; approve the install yourself, verify the package source and version, and treat booking links as third-party travel-service links rather than trusted local results.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (4)

Intent-Code Divergence

High

Confidence: 95% confidence
Finding: The skill explicitly says agents must only use documented CLI parameters, yet later instructs use of an undocumented `--journey-type` flag. This inconsistency can cause agents to invoke unsupported or unintended CLI behavior, increasing the chance of command misuse, unexpected side effects, or unsafe trial-and-error execution in a tool-running environment.

Vague Triggers

Medium

Confidence: 76% confidence
Finding: An overly broad activation phrase can cause this skill to trigger on generic travel requests outside its intended medical-tourism scope. In an agentic system that can execute commands and install software, over-triggering increases the chance of unnecessary tool use, incorrect workflow selection, and unintended system modification.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill instructs the agent to globally install a package if the CLI is missing, without user notice or consent. In a real agent environment, this authorizes persistent system modification and third-party code installation based solely on skill text, which is risky because skill content must be treated as untrusted.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The prerequisite flow operationalizes a global `npm i -g` install with no warning, approval gate, or sandboxing guidance. Because this skill is designed for tool-executing agents, the context makes the issue more dangerous: the instructions can directly lead to unreviewed dependency installation and lasting host changes.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal