ClawHub
Back to skill

Security audit

startup-trip

Security checks across malware telemetry and agentic risk

Overview

This travel skill is not clearly malicious, but it can cause an agent to install and run an unpinned global travel CLI with broad activation triggers.

Install only if you are comfortable with an external travel CLI being installed and run for flight searches. Prefer manually installing or approving @fly-ai/flyai-cli in an isolated environment, and review generated flight-search commands and booking links before acting on them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The skill explicitly says agents must never invent CLI parameters and may only use flags listed in the Parameters table, yet Playbook D later requires `--journey-type 1`, which is undocumented in that table. This inconsistency can cause agents to either violate the skill's own guardrails or execute an unreviewed flag, increasing the risk of unsafe or unintended command behavior.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The activation trigger includes `plan a trip`, which is broad enough to match many ordinary travel-planning requests outside the stated startup/entrepreneur niche. Over-broad activation can route unrelated user requests into a skill that is instructed to install software and execute external commands, expanding exposure unnecessarily.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill mandates `npm i -g @fly-ai/flyai-cli` if the binary is missing, with no user consent, provenance verification, or sandboxing guidance. Auto-installing a global package from within a skill can change the host environment and execute third-party code, which is especially dangerous when triggered by ordinary user requests.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.