ClawHub
Back to skill

Security audit

charter-flight

Security checks across malware telemetry and agentic risk

Overview

This travel skill appears to search commercial flights while presenting itself as charter or private-jet booking, and it also asks the agent to install and use an external CLI with sensitive itinerary data.

Review this before installing. It should not be treated as a real charter or private-jet booking tool unless the publisher fixes the disclosures and workflow. Only use it if you are comfortable installing the flyai CLI, sending travel details to that service, and accepting the current local logging behavior; avoid entering passport, payment, or other highly sensitive personal data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (11)

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The skill explicitly states that agents must never invent CLI parameters and only use documented flags, but later instructs use of `--back-date`, which is not listed in the parameters table. This inconsistency can cause failed executions, undefined behavior, or encourage agents to disregard interface constraints, weakening safety and reliability guarantees.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill is marketed as enabling charter flights, private jets, and exclusive aircraft bookings, but the implementation only searches scheduled commercial flights and later admits actual charter/private jet booking is not performed. This is a material capability misrepresentation that can mislead users into making travel or purchasing decisions based on results that do not match the requested service.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The playbook maps 'private jet charter' and 'premium charter' requests to a first-class scheduled-flight search, which is a misleading substitution rather than a valid approximation of private aviation inventory. Users may incorrectly believe the skill found private jet options when it only returned premium seats on regular airlines.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The fallback to `flyai keyword-search` uses a broad, generic query instead of staying within the bounded flight-search workflow. That expands the agent's behavior beyond the declared travel-booking scope and can cause retrieval of untrusted or irrelevant content, increasing the chance of prompt injection, misleading results, or unsafe actions based on loosely scoped search output.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is marketed and framed as supporting charter/private jet bookings, but the actual workflow and result template only return scheduled commercial flight search results. This mismatch can mislead users into making decisions based on incorrect service capabilities, creating a deceptive booking flow and reducing informed consent about what is actually being provided.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The file title and output headers prominently present the feature as 'charter flights' even though the template later admits the results are only scheduled flights. In a travel-booking context, this is particularly risky because users may assume premium or private aviation services are being sourced when they are not, which is materially misleading and can enable social engineering or fraudulent service representation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to install a global package with `npm i -g @fly-ai/flyai-cli` automatically if the CLI is missing, without requiring user consent or warning about system modification. This creates a supply-chain and environment-integrity risk because executing installation commands changes the host and trusts external code from a package registry.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill mandates external CLI execution for all travel queries but does not clearly warn users that their travel details may be transmitted to a third-party service. This undermines informed consent and can expose sensitive itinerary, location, and timing information to external systems without transparent disclosure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Automatically searching an alternative date without notifying or obtaining confirmation from the user can cause the agent to act on materially different travel criteria than requested. In a travel-booking context, this can mislead users, produce incorrect itineraries or quotes, and potentially cascade into unintended reservations or downstream actions based on false assumptions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The runbook explicitly records the raw user query in an internal execution log and suggests persistent storage to a local log file, but provides no disclosure, minimization, redaction, retention, or access-control guidance. In a travel-booking skill, user queries may contain passport details, names, dates of travel, contact information, or other sensitive itinerary data, so storing raw input increases privacy and compliance risk if logs are exposed or retained too broadly.

Ssd 3

Medium
Confidence
76% confidence
Finding
Referring the agent to an execution log 'in the background' can encourage access to prior run data or retained context beyond what is necessary for the current user request. In a travel-booking context, such logs may contain sensitive personal itineraries or booking-related details, increasing privacy exposure if reused or reviewed implicitly.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal