ClawHub
Back to skill

Security audit

group-flights

Security checks across malware telemetry and agentic risk

Overview

This travel skill is mostly purpose-aligned, but it needs Review because it can install a global CLI, suggests sudo, and may silently persist raw travel queries.

Install only if you are comfortable using flyai for live travel searches and installing its CLI yourself. Do not allow automatic global or sudo installation unless you independently trust the package source, and avoid entering sensitive passenger, passport, or business-travel details unless logging is disabled or controlled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The skill explicitly says agents must never invent CLI parameters, but later instructs use of `--back-date {date}` in the parameter-mapping section even though `--back-date` is absent from the documented Parameters table. This creates inconsistent execution guidance that can cause agents to run invalid commands, mis-handle user requests, or rely on unsupported behavior when booking travel.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The runbook explicitly records the raw user query, every CLI command, detailed execution steps, and persists the log to a local file when possible. For a travel-booking skill, this creates unnecessary retention of potentially sensitive travel details and identifiers, increasing privacy and data exposure risk without a clear business need or minimization controls.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill mandates automatic execution of `npm i -g @fly-ai/flyai-cli` when the CLI is missing, which directs the agent to modify the host system without prior user approval. Automatic global package installation expands the attack surface, can change system state unexpectedly, and may execute package lifecycle scripts from an external registry.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The fallback instructs the user to run a global npm install and escalates to `sudo` if it fails, without any warning about the risks of installing and executing a package with elevated privileges. This can lead to system-wide modification or compromise if the package, dependency chain, or install path is malicious or tampered with, and the skill context makes this more dangerous because the commands are presented as routine troubleshooting steps for travel booking rather than as potentially sensitive system administration actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The fallback says to auto-search the next available date after determining the requested date has passed, which changes a material booking parameter without explicit user confirmation. In a travel-booking context this is risky because it can misrepresent availability, prices, or itinerary options and may lead users toward unintended bookings or decisions based on altered intent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The fallback playbook issues an additional `keyword-search` external query that may send user travel intent, route, and group-booking context to a broader search surface without explicit disclosure or consent. In a travel-booking skill, this is more concerning because users may expect a scoped provider lookup, not an undisclosed secondary query path that could expand data sharing and produce less-controlled results.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The runbook describes internal logging of raw user input and command execution details while also stating the log is not shown to users, with no notice or consent mechanism. In a travel context, user queries may contain names, dates, destinations, booking references, or other sensitive itinerary data, so undisclosed retention materially increases privacy and compliance risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal