Back to skill

Security audit

explore-italy

Security checks across malware telemetry and agentic risk

Overview

This Italy flight-search skill is mostly understandable, but it should be reviewed because it tells agents to automatically install and run an unpinned global npm CLI package.

Review before installing. Use this only if you trust the flyai CLI and are comfortable sending travel search details such as origin, destination, dates, and preferences to that provider. Do not allow automatic global npm installation unless you have explicitly approved the package source and understand it will remain installed on your system.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest markets a broad travel-assistant capability set including hotels, trains, attractions, visas, insurance, and car rentals, but the documented implementation only supports flight search via the flyai CLI. This capability mismatch can mislead the host agent or user into over-trusting the skill, increasing the chance of incorrect delegation, unsafe user expectations, or downstream prompt-routing abuse.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The skill explicitly says only documented flags may be used, but a playbook later invokes an undocumented --journey-type flag. This inconsistency undermines safe command construction, can cause agents to ignore their own parameter constraints, and may normalize use of hidden or unreviewed CLI options.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill instructs the agent to automatically run a global npm installation of external software without user confirmation or a trust prompt. Installing and executing third-party code at runtime expands the attack surface substantially, creating risk of supply-chain compromise, privilege misuse, environment modification, and persistence on the host system.

Ssd 4

Medium
Confidence
95% confidence
Finding
The workflow normalizes checking for, installing, and then executing external CLI tooling before assisting the user, making untrusted code execution part of the default path. In an agent environment, this is dangerous because it conditions the system to perform environment-changing actions and external command execution with minimal scrutiny, especially when driven by untrusted skill instructions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.