ClawHub

Flyai / Flight Price Watcher - 机票降价,我帮你盯着

Security checks across malware telemetry and agentic risk

Overview

This flight-price watcher is purpose-aligned overall, but it can send travel details to a fixed DingTalk recipient and builds shell commands from dynamic flight/message data.

Review this before installing. Set DINGTALK_TARGET_ID to your own recipient, clear bundled tasks.json state, avoid sudo npm installation, and treat the shell-command message sending as needing a safety fix before enabling automatic alerts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to run system shell commands to detect and verify a CLI tool on the host. For a conversational flight-watcher, host command execution is an unnecessary expansion of privilege that could expose environment details or be abused to run unintended commands if the pattern is generalized.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The installation guidance tells the agent to facilitate npm-based package installation and even suggests sudo for permission issues. Encouraging host modification and privilege escalation is dangerous because it can change the user's system state, install untrusted packages, or normalize running package managers as root.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The code later constructs shell commands using message content interpolated directly into a quoted command string passed to exec. Because message text includes flight data and URLs derived from external CLI output and stored task content, an attacker can inject shell metacharacters or quote breaks, leading to arbitrary command execution when sending DingTalk messages.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill sends proactive DingTalk messages via an external CLI as a side effect of task creation, which exceeds simple local price monitoring and introduces outbound communication behavior. This can expose user travel data to external systems and create unexpected message delivery without explicit user consent or clear scoping.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The task manager executes external shell commands for both flight lookup and messaging, giving the skill command-execution capability beyond its narrowly described purpose. Although some input sanitization exists for the flight search path, shell invocation remains risky and expands the attack surface, especially because the DingTalk message command interpolates unescaped dynamic content into a shell string.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code builds a shell command with untrusted task fields (`from`, `to`, `date`) and executes it via `exec`, which invokes a shell. If those values are attacker-controlled through `tasks.json` or upstream input, this can lead to command injection and arbitrary command execution, not just flight lookup. In a flight-monitoring skill, adding generic subprocess execution is more dangerous because the business need is narrow while the primitive exposed is broad.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The alerting path also constructs a shell command containing dynamic content from `task` and `flight` fields, including `jumpUrl`, then executes it with `exec`. Because the message is wrapped in shell quotes, special characters can break out of the argument and trigger arbitrary command execution; even without injection, this unnecessarily grants subprocess capability to a notification path. The skill context increases risk because external flight data may be partially untrusted and gets embedded directly into the command.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill does not clearly warn users that it will send flight details and purchase links through DingTalk notifications. In context, outbound messaging can disclose itinerary interests and expose users to tracking or phishing-like purchase-link interactions if not clearly consented to.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad and map to common travel-planning language, which makes accidental invocation plausible during ordinary conversation. In this skill, unintended activation could create monitoring tasks and send notifications to a DingTalk target, causing privacy issues, spam, or actions the user did not explicitly intend.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger phrase "这是什么" is overly broad and can easily appear in ordinary conversation unrelated to this skill, increasing the chance of accidental invocation. In a conversational assistant context, unintended activation can confuse users, interrupt workflows, and potentially expose or execute skill behavior when the user did not mean to use it.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill persistently stores task data, including travel routes, dates, selected flights, and price history, without any visible user notice, consent flow, retention policy, or access controls. This creates a privacy risk because sensitive itinerary preferences are written to disk and may be retained longer than users expect.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The script automatically sends detailed itinerary and price information to a hard-coded DingTalk target without any runtime confirmation or visible consent flow. That creates a privacy and data-sharing issue: trip plans, dates, and booking links may be disclosed to an unintended recipient, especially in test mode or shared environments. In this skill, outbound notifications are expected, but the hard-coded recipient and lack of confirmation make it riskier than a normal alert feature.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal