Security audit

Flyai Japan Travel

Security checks across malware telemetry and agentic risk

Overview

This Japan travel skill is aligned with trip planning, but it asks agents to change the host system by automatically installing a global CLI and even suggests sudo fallback without a clear user approval step.

Review before installing. Only allow this skill to run npm, npx, or sudo commands after explicit approval, and avoid providing unnecessary personal details because trip queries and command arguments may be logged or sent to FlyAI/Fliggy.

SkillSpector

By NVIDIA

Vulnerability Patterns

Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The skill instructs the agent to automatically run `npm i -g @fly-ai/flyai-cli` if `flyai --version` fails, causing unprompted installation of executable code on the host. For a travel-planning skill, modifying the system environment is not necessary to answer user questions and expands risk to supply-chain compromise, persistence, and unauthorized system changes.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The installation path is automatic and mandatory in the workflow, with no prior warning, consent, or safer fallback before executing a global package install. This creates a silent side effect on the machine and can surprise users or agents into running privileged operations unrelated to the immediate query.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The guidance instructs automatic global npm installation and escalation to sudo without warning the user about system modification or elevated privileges. In an agent setting, this can cause unauthorized changes to the host environment, expand the blast radius if the package or install path is compromised, and normalize unsafe privilege use for routine recovery steps.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The runbook explicitly requires storing the raw user query and full CLI command in a background log, which can capture sensitive travel data such as names, locations, dates, visa details, and possibly identifiers embedded in commands. Because this collection is not paired with minimization, redaction, retention limits, or a user-facing notice/consent mechanism, it creates a privacy and data-exposure risk if logs are accessed, reused, or retained improperly.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The full-trip planning trigger is defined by very broad phrases like '帮我规划/安排', which can match ordinary conversational requests and cause the skill to enter a multi-step planning flow unexpectedly. In a travel-booking context, this can lead to over-collection of trip parameters, unintended tool invocation, and user confusion about whether they asked for planning versus a simple answer.

Natural-Language Policy Violations

Medium

Confidence: 78% confidence
Finding: The template hardcodes Chinese-language prompts and output structure without offering language negotiation or fallback behavior. For non-Chinese-speaking users, this can cause misunderstanding of booking, visa, and itinerary details, increasing the risk of user error and accidental actions based on incorrectly understood travel information.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.