ClawHub

business-flights

Security checks across malware telemetry and agentic risk

Overview

The skill’s travel-search purpose is coherent, but it tells agents to make global or privileged installs and appears to persist sensitive travel queries without clear user control.

Review before installing. Use only if you are comfortable installing and running the flyai CLI, sending travel-search details to that provider, and managing any local logs. Avoid sudo/global installation unless you explicitly trust the package source, and delete or disable logs that may contain personal travel details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (8)

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The skill explicitly says to never invent unsupported CLI parameters, but later instructs use of `--back-date` even though it is not listed in the allowed parameters. This inconsistency can cause agents to invoke undocumented behavior, fail unpredictably, or normalize using unverified flags from prompt text rather than trusted interface documentation.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The runbook explicitly records raw user queries and full CLI commands in an internal execution log, which can capture sensitive travel details, identifiers, and operational parameters beyond what is necessary to provide booking or search functionality. In a travel-assistance context, users may provide names, dates, destinations, passport/visa context, or other personal data, so retaining this data increases privacy and data-exposure risk without clear necessity.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The runbook directs writing execution logs to a local file, creating durable storage of potentially sensitive interaction data on disk. Persistent local logging is not clearly required for a business-travel search skill and can expose data to other local users, backup systems, or later compromise if file permissions and retention are not tightly controlled.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to install a global npm package automatically if the CLI is missing, which modifies the host environment without explicit user approval. In an agent context, automatic package installation is risky because it expands trust to the npm supply chain and can introduce arbitrary code execution during install scripts.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The prerequisite section includes `npm i -g @fly-ai/flyai-cli` without any user-facing warning about global system modification or installation risk. Because npm packages may run lifecycle scripts and affect the whole environment, embedding this as a routine recovery step makes unintended code execution and persistence more likely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The fallback instructs users to run a global npm install and then escalate to `sudo npm i -g`, which can execute package installation scripts with root privileges and modify the host system. In an agent skill context, this is risky because it normalizes privileged system changes as part of routine fallback behavior without warning, isolation guidance, or safer alternatives.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Persisting raw user input without user-facing disclosure creates a transparency and privacy problem, especially for a travel skill where queries may contain personal itinerary details, employer-related travel information, or regulated data. Users are not informed that their input may be stored internally and potentially written to disk, undermining informed consent and increasing compliance risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The instructions to append execution logs to a local file provide a mechanism for silent local data persistence without any warning in the runbook about disclosure, retention, or user awareness. Because the same log schema includes raw queries and command details, this persistence amplifies the chance of unnoticed collection and later exposure of sensitive travel or account-related data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal