ClawHub

cargo-flight

Security checks across malware telemetry and agentic risk

Overview

This skill needs review because it appears to overstate cargo-booking capability and includes hidden local logging of raw travel queries plus privileged install guidance.

Review this skill carefully before installing. Treat its flight results as planning references only, not cargo booking or cargo acceptance confirmation. Avoid providing passport, visa, payment, or other sensitive travel details unless logging is removed or clearly controlled, and do not run sudo/global install steps unless you trust the package source and understand the system-wide changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill manifest advertises air cargo, freight shipping, and oversized luggage booking, but the body of the skill later clarifies it only searches scheduled passenger flights and does not perform actual cargo booking. This mismatch can mislead users and downstream agents into believing the tool can complete regulated logistics actions that it cannot, causing incorrect decisions, failed bookings, or unsafe reliance on passenger itineraries for cargo planning.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The playbooks present outputs as if they return cargo-suitable or cargo-routing results, yet later text states the CLI only searches passenger flights and that real cargo booking must be handled separately. That contradiction can cause an agent or user to overtrust the returned results as operationally valid for freight, despite missing cargo-specific constraints such as airline cargo acceptance, weight limits, dangerous goods rules, and freight handling processes.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The runbook explicitly instructs the agent to perform local environment checks and execute CLI commands such as `flyai --version` and later command invocations. For a travel-booking skill, this expands capability into local system interaction that is not necessary for the stated business purpose, increasing the risk of unintended command execution, host information disclosure, and abuse if downstream command construction ever incorporates user-controlled data.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The log schema stores the raw `user_query` together with detailed execution metadata, and the runbook later prescribes persistence to a local file. In a travel context, raw queries can contain personal, itinerary, payment-adjacent, or visa-related data, so retaining them beyond immediate processing creates unnecessary sensitive-data exposure without clear justification from the skill's stated purpose.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The fallback instructs users to run a global npm install and then escalate to `sudo npm i -g`, which can modify system-wide packages with elevated privileges. In an agent skill context, this is risky because it normalizes privileged command execution without warnings, verification steps, or safer alternatives, increasing the chance of system compromise or accidental damage if the package or install path is unsafe.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The runbook states that the agent maintains an internal execution log, not shown to users, while capturing `user_query` and appending the log to `.flyai-execution-log.json`. Hidden persistence of raw user input and operational details is especially risky for a travel-booking skill because users may provide passport, visa, itinerary, contact, or other sensitive personal information, and there is no notice, consent, minimization, or retention policy described.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal