Back to skill

Security audit

camping-flight

Security checks across malware telemetry and agentic risk

Overview

This flight-search skill is not clearly malicious, but it needs review because it can make an agent globally install and run an external CLI for broadly matched travel requests.

Install only if you are comfortable with an agent running flyai commands and potentially installing @fly-ai/flyai-cli globally. Prefer approving the install manually, pinning or verifying the package yourself, and reviewing each command before it runs, especially for non-camping or ambiguous travel requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The skill explicitly says agents must only use documented CLI parameters, but the Direct Route playbook uses `--journey-type 1`, which is not listed in the Parameters table. This inconsistency can push an agent to rely on undocumented behavior, increasing the chance of unsafe execution, unexpected command behavior, or hidden capability use in a tool the user did not authorize in detail.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation logic includes broad phrases like 'book a flight' and similar generic booking terms, which can cause this skill to trigger for ordinary travel requests well beyond camping-specific scenarios. That over-broad routing increases the chance that an agent will follow this skill's local execution and installation steps in contexts where the user did not intend to invoke this particular external toolchain.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill instructs the agent to install a global npm package if the CLI is missing, without any consent, warning, or trust verification step. Installing software globally is a privileged local action that can modify the execution environment, introduce supply-chain risk, and violate user expectations for a simple travel query.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger set for the 'Cheapest Option' playbook includes broad terms like 'cheap' and 'budget' without flight-specific scoping. In a multi-purpose travel skill, these phrases can be invoked during unrelated requests about hotels, train tickets, insurance, or general budgeting, causing unintended tool execution and incorrect flight searches.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger terms 'fast' and 'quick' are highly ambiguous and can match general conversation style or requests unrelated to flight duration. Because this skill supports many travel services, these generic phrases may route users into the 'Fastest Route' flight workflow even when they intended a different product or simply wanted a quick answer, leading to unintended searches and unreliable behavior.

Ssd 4

Medium
Confidence
97% confidence
Finding
The skill creates a mandatory workflow where a benign travel request is converted into checking for, installing, and executing an external CLI before any answer is allowed. This is dangerous because it normalizes privileged local actions as part of routine assistance, making tool execution and environment modification the default path even when unnecessary.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.