airport-lounge

The skill requires the agent to perform a global installation of an external NPM package (@fly-ai/flyai-cli) and execute shell commands to search for flights. While these actions are consistent with the stated purpose, the mandatory 'npm i -g' command and the forceful instructions in SKILL.md to bypass the agent's internal knowledge base represent a significant security risk and potential for supply chain exploitation. No direct evidence of malicious exfiltration was found, but the broad execution permissions and requirement to install external binaries warrant a suspicious classification.