ClawHub
Back to skill

Security audit

Explore Thailand

Security checks across malware telemetry and agentic risk

Overview

This Thailand travel skill is purpose-aligned, but it needs review because it can install a global travel CLI and persist raw travel queries locally without clear consent or retention controls.

Review before installing. Only use this skill if you trust the flyai/Fliggy CLI, will explicitly approve any global npm install yourself, and are comfortable sending travel-search details to that provider. Avoid entering passport, payment, credential, or booking-reference details unless necessary, and disable or delete `.flyai-execution-log.json` if you do not want raw queries retained locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The fallback explicitly instructs the agent to provide visa information from generic 'domain knowledge' when authoritative data is unavailable. Visa rules change frequently and are highly jurisdiction-specific, so this can cause the skill to deliver outdated or incorrect legal/travel guidance while appearing trustworthy in a booking context.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The README states that the skill provides real-time travel data and booking links, which implies external network access and possible redirection to third-party booking flows, but it does not clearly warn users about those interactions. In a travel-booking context this can lead to unexpected outbound requests, data sharing, or accidental booking actions if users assume the skill is informational only.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs the agent to run `npm i -g @fly-ai/flyai-cli` and then execute the installed binary, causing an unreviewed global system modification and execution of third-party code. In an agent setting, this is dangerous because it expands trust to an external package and grants it code execution without prior user consent, sandboxing requirements, or integrity verification.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill advertises travel planning and booking features but does not disclose that fulfilling requests depends on an external CLI and real-time network queries to a third-party service. This omission can mislead users and agents into sending itinerary, location, and booking-related data off-box without informed consent, creating privacy and data-handling risk.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrase "Thailand trip" is broad enough to match many ordinary user travel requests, which can cause this playbook to activate without clear user intent for a specific workflow. In a skill that can support bookings and itinerary actions, ambiguous triggering increases the risk of unintended tool use, wrong parameter mapping, or over-scoped travel actions.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger phrase "Bangkok trip" is generic and lacks boundaries that distinguish casual conversation from an intentional request to run this playbook. Because the skill context includes flights, hotels, and attractions, this ambiguity could lead to accidental activation and downstream travel-planning or booking behavior the user did not explicitly request.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrase "Thai islands" remains ambiguous because it could appear in normal travel discussion without signaling intent to invoke a playbook. In this travel skill, that ambiguity is somewhat more dangerous because the playbook maps directly to flights, resorts, and activities, creating risk of unintended workflow execution or misleading recommendations based on incomplete user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The runbook explicitly defines an internal execution log that captures the raw `user_query`, which can contain personal data, credentials, travel details, or payment-related information entered by users. Even if intended for debugging, storing raw input without minimization, consent, or disclosure creates a clear privacy and data-retention risk and increases exposure if logs are accessed by unauthorized parties.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The runbook instructs the agent to append execution logs to a local file when filesystem writes are available, but provides no safeguards around permissions, retention, encryption, or user notice. Persisting operational logs to disk materially increases the chance of sensitive travel queries and booking details being retained longer than necessary and exposed through local compromise or accidental collection.

Ssd 3

Medium
Confidence
98% confidence
Finding
Taken together, the schema stores natural-language raw user input and the runbook permits writing that data to `.flyai-execution-log.json`, creating a concrete data leakage path. In this travel skill context, user prompts may include passports, visa questions, booking identifiers, locations, dates, and other sensitive itinerary data, making the retention risk more significant than generic telemetry.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal