Back to skill

Security audit

airport-hotel

Security checks across malware telemetry and agentic risk

Overview

This travel-search skill is not clearly malicious, but it asks agents to automatically install and run an unpinned third-party CLI and send travel queries to it without a clear user-consent boundary.

Install only if you trust the @fly-ai/flyai-cli package and are comfortable sending travel search details to that provider. Require approval before any global npm install, prefer a pinned or sandboxed install, and confirm ambiguous travel requests before running searches.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The skill explicitly says agents must never invent CLI parameters and may only use flags from the documented Parameters table, but a later playbook uses `--journey-type 1`, which is not declared there. This inconsistency can cause agents to ignore safety constraints, hallucinate unsupported flags more broadly, or execute commands that fail unpredictably, undermining reliable and auditable command generation.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The skill instructs the agent to run `npm i -g @fly-ai/flyai-cli` automatically if the CLI is missing, without requiring explicit user consent or warning about system modification. Installing a global package changes the host environment, may execute package lifecycle scripts, and exposes the user to supply-chain risk from a third-party dependency.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill mandates external CLI execution for every answer and routes travel search parameters to the `flyai` service, but it does not warn the user that their query data will leave the local agent context. This creates a transparency and privacy problem because itinerary details, locations, and dates may be sent to a third party without informed consent.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases for the cheapest-option playbook include very generic terms like "cheap" and "budget", which can appear in many unrelated travel requests and cause the playbook to activate when the user did not explicitly ask for flight-price optimization. In a booking skill, this can steer the agent toward an unintended search strategy, producing irrelevant or misleading results and potentially influencing purchase decisions.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The speed-related triggers use broad words like "fast" and "quick", which are ambiguous in a multi-service travel skill and may refer to booking speed, itinerary planning, or another service rather than the fastest flight route. This can lead to unintended invocation of the fastest-route playbook and return results that do not match the user's actual request.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.