Back to skill

Security audit

explore-nepal

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Nepal flight-search skill, but it tells the agent to install and run an unpinned global CLI without a clear user approval gate.

Install only if you trust the FlyAI CLI and are comfortable approving a global npm package on your machine. Prefer running it in a sandbox or asking the agent to get explicit confirmation before any install or external search, and treat this as a flight-search helper rather than a full travel-booking suite.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The skill explicitly says only listed flags exist, then later instructs use of an undocumented flag `--journey-type`. This inconsistency can push an agent to ignore its own validation rules and execute commands it was told not to invent, increasing the chance of unsafe or unintended CLI usage if the interface behaves unexpectedly or if future undocumented flags expose sensitive behavior.

Vague Triggers

Medium
Confidence
83% confidence
Finding
Using an overly broad trigger like `discover` can cause accidental activation on unrelated requests, especially in multi-skill environments. That increases the chance the agent runs travel-booking workflows, collects parameters, or executes external commands when the user did not intend to book travel at all.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill mandates installing a global npm package (`npm i -g @fly-ai/flyai-cli`) automatically if the CLI is missing, without warning, consent, or provenance checks. This creates a clear supply-chain and host-modification risk because an agent could alter the user's environment or fetch untrusted code from a registry merely to satisfy the skill workflow.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document instructs users to run a global npm install for a third-party CLI without any integrity, provenance, or least-privilege guidance. Installing and executing globally available packages can expose users to supply-chain compromise, unintended system-wide changes, or execution of untrusted post-install scripts, especially because this is presented as a required recovery step.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The fallback playbook sends itinerary details to external search commands, including a free-form keyword query, without any stated notice, minimization, or consent boundary. This creates a privacy and data-handling risk because user travel plans may be transmitted more broadly than expected, especially in the keyword-search step which may include sensitive itinerary context in less structured form.

Ssd 4

Medium
Confidence
84% confidence
Finding
The workflow conditions the agent to perform environment checks, installation, and command execution before fully validating command safety and parameter consistency. In practice this lowers resistance to unsafe execution paths, especially when combined with contradictory flag guidance and mandatory external CLI dependence.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.