Security audit

Explore Bali

Security checks across malware telemetry and agentic risk

Overview

This Bali travel skill is coherent, but it needs review because it can auto-install a global CLI and persist raw travel requests without clear user control.

Review before installing. Use it only if you are comfortable with a global @fly-ai/flyai-cli install, outbound travel searches to the provider, booking links, and local execution logs. Avoid entering passport, payment, or highly sensitive trip details, and disable or delete .flyai-execution-log.json if you do not want raw requests retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The fallback instructs the agent to use general/domain knowledge for visa information when authoritative data is unavailable, which can lead to outdated or jurisdiction-specific immigration advice being presented as usable guidance. In a travel-booking skill, incorrect visa requirements can cause denied boarding, entry refusal, financial loss, or legal/compliance issues, and it also conflicts with the earlier instruction not to answer from training data.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The activation triggers on broad destination keywords like "Bali" or "Ubud" without requiring clear booking or trip-planning intent. In an agent environment, this can cause the skill to activate on casual conversation and then follow its mandatory workflow, including command execution and possible package installation, creating unnecessary tool use and expanding the attack surface.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to install a global npm package (`npm i -g @fly-ai/flyai-cli`) and proceed automatically if the CLI is missing, without an explicit user approval gate or warning that this modifies the host environment. This is dangerous because it can change system state, introduce supply-chain risk from an external package, and violate least-privilege expectations in response to a simple travel query.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger phrase "Bali trip" is broad enough to match ordinary user travel conversation rather than a clearly intentional invocation of this specific playbook. In a booking-capable travel skill, that can cause the agent to execute a predefined command sequence and steer or initiate planning actions when the user may only be discussing travel generally, increasing the risk of unintended tool use or action selection.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The runbook explicitly records the raw user query and appends the generated log to a local file, which creates a persistent store of potentially sensitive travel and booking data without any stated retention limits, minimization, access controls, or user notice. In this skill context, users may provide names, itineraries, visa details, insurance needs, or other personal data, so retaining raw input materially increases privacy and compliance risk if the host is shared, compromised, or logs are later reused.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal