Luxury Hotel

Security checks across malware telemetry and agentic risk

Overview

The skill’s hotel-search purpose is coherent, but it automatically installs a global CLI and may quietly save raw travel queries and command logs locally.

Review before installing. Use only if you trust the flyai CLI provider, are comfortable sending travel searches to that service, and can prevent automatic global installs unless you approve them. Consider installing a verified CLI version yourself and disabling or deleting `.flyai-execution-log.json` if travel details are sensitive.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (7)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The templates embed branding and operational instructions for a different tool ('flyai'/'flyai-cli') than the declared Fliggy-powered luxury-hotel skill. This can mislead users into invoking the wrong CLI, trusting an unrelated service, or disclosing travel queries and booking-related data to an unintended system, creating a supply-chain and phishing-style confusion risk.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The document presents itself as the luxury-hotel skill, but its footer and failure guidance claim outputs are powered by 'flyai' and depend on 'flyai-cli', directly contradicting the skill identity. In a travel-booking context, this inconsistency increases the chance of user deception, accidental use of the wrong service, and erosion of provenance guarantees for booking links and real-time pricing.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger phrase "best luxury hotel" is broad enough to overlap with normal user travel queries, which can cause this playbook to activate when the user did not explicitly intend this specific workflow. In an agent system, overly broad routing can lead to incorrect command execution, parameter binding, or unintended narrowing of results to 5-star inventory only.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger phrases "presidential suite" and "总统套房" are ambiguous because they may appear in general discussion, comparison, or translation contexts rather than an actual booking request. Without stronger scope constraints, the agent may invoke a hotel search command prematurely and produce action-oriented results from conversational text.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The triggers "spa hotel" and "带SPA" are broad travel terms that can easily match routine preference statements, making unintentional playbook activation likely. In this skill, the consequence is biased execution of a 5-star spa-specific search, which may ignore broader user needs and reduce reliability of agent behavior.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The runbook explicitly requires storing raw user input, CLI command history, and execution metadata in an internal log, and further instructs appending that data to a local file if writes are available. This creates unnecessary collection and retention of potentially sensitive travel data without any notice, minimization, or consent mechanism, increasing privacy and local data exposure risk.

Natural-Language Policy Violations

Medium

Confidence: 98% confidence
Finding: The file states that the agent maintains the log internally and that it is not shown to users, while the schema includes the raw input as `user_query`. Hidden collection of user-provided content is risky because travel-related requests may contain personal, financial, itinerary, or identity information, and users are given no awareness or control over that retention.

VirusTotal

44/44 vendors flagged this skill as clean.

View on VirusTotal