Back to skill

Security audit

investor-roadshow

Security checks across malware telemetry and agentic risk

Overview

This travel-booking skill is not malicious, but it needs Review because it can automatically install an unpinned global CLI and may run for overly broad travel requests.

Install only if you trust the flyai npm package and are comfortable with an agent making a global npm install. Prefer preinstalling a reviewed, pinned CLI version yourself, and avoid submitting confidential investor-roadshow itinerary details unless the external travel provider is acceptable for that data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill explicitly says agents must never invent CLI parameters and may only use flags listed in the Parameters table, but the Direct Route playbook later introduces `--journey-type 1` without documenting it. This contradiction can cause agents to execute unsupported or guessed commands, creating unreliable behavior and undermining the safety boundary around command construction.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The activation rules include broad phrases like 'travel booking' and 'trip search', which can match many ordinary travel requests unrelated to investor roadshows. That increases the chance this skill is invoked in the wrong context, causing unnecessary external CLI execution, package installation attempts, and disclosure of user travel data to a third-party service.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill instructs the agent to run `npm i -g @fly-ai/flyai-cli` automatically if the CLI is missing, which modifies the host environment without user consent. Automatic global installation expands supply-chain and system-integrity risk, especially because it fetches and executes code from an external package registry.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill promotes flight search and booking via an external CLI but does not warn that user itinerary details will be transmitted to a third-party service. Travel plans for investor roadshows can be commercially sensitive, so silent transmission increases privacy and confidentiality risk.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases for PB-2 include very generic terms like "cheap" and "budget", which can easily appear in ordinary travel conversations unrelated to investor roadshows or even unrelated to flight search specifically. This can cause unintended activation of the playbook and steer the agent into booking or recommending flights based on price without sufficient confirmation of user intent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases for PB-3 include broad terms like "fast" and "quick", which are ambiguous and may match many ordinary user requests that are not asking for the fastest flight route. In a travel-booking skill, this ambiguity can misroute intent handling and produce incorrect search behavior or recommendations without clear user authorization.

Ssd 2

Medium
Confidence
96% confidence
Finding
The Direct Route playbook tells the agent to use an undocumented `--journey-type` flag despite an earlier rule forbidding unlisted flags. This semantically pressures the model to override its own safety constraint and normalize command invention, which can lead to command errors or unsafe improvisation when interacting with external tools.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.