Security audit

airport-lounge

Security checks across malware telemetry and agentic risk

Overview

This travel-search skill is coherent, but it needs review because it tells agents to automatically install and run an unpinned global npm CLI.

Install only if you trust the flyai npm package and are comfortable sending travel search details to that provider. Do not let the agent perform the global npm install automatically; approve installation manually, preferably with a pinned version and a clear uninstall path.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The skill explicitly says agents must never invent CLI parameters, yet a later playbook uses `--journey-type 1`, which is not listed in the Parameters Table. This inconsistency can cause an agent to execute unsupported commands or start trusting contradictory instructions, weakening command safety guarantees and increasing the chance of unsafe or failing tool use.

Intent-Code Divergence

Medium

Confidence: 86% confidence
Finding: The activation rules say not to use this skill for first-class requests, but the later parameter-mapping section instructs the agent how to handle "first class lounge" within this same skill. Conflicting routing guidance can cause the wrong skill to activate and perform actions outside its intended scope, undermining policy boundaries and increasing the risk of unintended bookings or misleading results.

Intent-Code Divergence

Low

Confidence: 95% confidence
Finding: The template instructs the agent to present search results as 'Powered by flyai' even though the skill metadata says the service is powered by Fliggy. This creates a trust and provenance mismatch that can mislead users about who is providing pricing and booking links, which is especially sensitive in a travel-booking context involving purchases and redirects.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The activation triggers include broad phrases like "travel booking" and "trip search," which are much wider than airport-lounge flight requests. Overbroad triggering can invoke this skill for unrelated travel queries, causing unnecessary external command execution, incorrect task handling, and potential tool misuse in contexts the user did not intend.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill directs the agent to globally install and run `@fly-ai/flyai-cli` via `npm i -g` without explicit user consent or any warning that this modifies the host environment. That creates a real supply-chain and system-integrity risk: the agent may change the system state, install untrusted code, or introduce persistent tooling based solely on skill instructions.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger terms "cheap" and "budget" are very broad and commonly appear in normal travel conversations, so this playbook may activate when the user did not specifically request the cheapest-flight workflow. In a travel-booking skill, unintended activation can steer users toward cost-optimized results over their actual preferences, causing misrouting of agent behavior and potentially incorrect bookings or recommendations.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger terms "fast" and "quick" are ambiguous because they can refer to response speed, booking speed, or itinerary duration rather than specifically requesting the fastest route. This makes accidental invocation plausible, and in a travel context it can cause the system to prioritize short duration itineraries when the user intended something else.

Vague Triggers

Low

Confidence: 82% confidence
Finding: The fallback condition "0 results from above playbooks" is underspecified because it does not define which playbooks were attempted, how many retries are allowed, or when keyword search is safe to invoke. In practice, this can broaden execution unexpectedly and trigger a less precise search path, increasing the chance of irrelevant actions or unintended external queries.

Ssd 4

Medium

Confidence: 95% confidence
Finding: The skill uses strong, mandatory language to force the agent into checking for and, if necessary, installing and executing an external CLI before answering. This stepwise structure normalizes privileged tool use and can pressure an agent to override safer defaults, making unsafe execution appear required for compliance with the skill.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal