帮我说服 TA

Security checks across malware telemetry and agentic risk

Overview

This travel proposal skill is mostly coherent, but it asks agents to globally install unpinned CLI software, use sudo as a fallback, and disable TLS verification for travel-data queries.

Install only if you trust the FlyAI CLI source and are comfortable reviewing commands before they run. Avoid sudo/global installs when possible, pin the CLI version, remove the NODE_TLS_REJECT_UNAUTHORIZED=0 workaround, and review or delete ~/.flyai/user-profile.md if you do not want travel preferences stored across sessions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (15)

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The skill explicitly instructs use of NODE_TLS_REJECT_UNAUTHORIZED=0 for multiple networked FlyAI commands, which disables TLS certificate validation and makes HTTPS connections vulnerable to man-in-the-middle attacks. In this context the tool is retrieving supposedly 'real' travel pricing data, so an attacker on the network path could tamper with results or intercept requests without detection.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The skill requires global installation/upgrading of an external CLI via npm and even suggests sudo as a fallback, which causes system-wide modification beyond what a travel proposal generator should need. This expands the attack surface substantially because running package-manager installs, especially privileged ones, can execute untrusted install scripts and alter the host environment.

Description-Behavior Mismatch

Medium

Confidence: 85% confidence
Finding: The documentation says new preferences are saved after prompting for confirmation, but the workflow also states that in non-Qoder environments it updates a local file, creating ambiguity about whether persistence is truly consent-gated. For a skill that reads and stores user travel profile data, unclear persistence behavior is a privacy and trust issue because sensitive preferences may be written locally unexpectedly.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The document states that all FlyAI commands must be run with NODE_TLS_REJECT_UNAUTHORIZED=0, which globally disables TLS certificate validation for Node-based HTTPS connections. This enables man-in-the-middle interception or tampering of travel pricing and search results, directly undermining the skill's stated purpose of retrieving 'real' data and making the behavior unjustified for this context.

Context-Inappropriate Capability

Medium

Confidence: 99% confidence
Finding: Requiring a global SSL/TLS verification bypass exceeds the legitimate needs of a travel proposal skill and weakens transport security for every command invocation. An attacker on the network path could spoof the backend service, alter prices, destinations, or safety information, and feed manipulated content into downstream persuasive outputs.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The document explicitly describes ongoing memory, preference learning, case accumulation, and proactive inference, which goes beyond a narrow travel-proposal generator and implies broader profiling behavior. In a consumer travel context, this can lead to unauthorized retention and use of personal preference data without clear scope limits, consent, or governance.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The document defines persistent storage of detailed travel profile data across sessions in Qoder Memory or a local file, which exceeds the narrow function of generating a one-off travel persuasion proposal unless tightly justified and consented. This creates unnecessary data retention and expands the attack/privacy surface by preserving personal attributes such as city, family composition, budget, and travel history.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill description tells the agent to perform global installation and suggests privileged fallback, but does not clearly warn users that system software may be modified. Lack of upfront disclosure undermines informed consent and makes it easier for risky host-level actions to occur unexpectedly in a low-trust context.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill reads stored user profile data from memory and may fall back to reading a local file, but this data access is not clearly disclosed in the high-level description. Hidden personalization based on local or stored data is risky because users may not expect file reads or profile retrieval when asking for a travel proposal.

Missing User Warnings

Low

Confidence: 82% confidence
Finding: The skill creates an HTML file in the working directory but does not clearly warn users about local file creation. While lower severity than network or privilege issues, unexpected file writes can still create privacy, clutter, or data-handling concerns, especially if proposal content includes personal travel details.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The documentation explicitly instructs users to disable certificate verification and provides no warning about the resulting security exposure. This creates an unsafe operational pattern where users may unknowingly trust forged endpoints and consume tampered data, which is especially risky because the skill uses that data to persuade users with allegedly factual information.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The text says the skill will remember user parameters and learn preference patterns, but provides no notice about persistence, privacy impact, retention period, or user control. This is dangerous because users may disclose travel habits, budgets, and location-related preferences without understanding that the data could be stored and profiled over time.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The proactive-service section states that the skill may infer user needs and provide suggestions at suitable times, but it does not disclose that this behavior depends on analyzing user context and behavioral patterns. In a persuasion-focused travel skill, this increases risk because the system may quietly profile users and act on inferred sensitive preferences or circumstances without explicit consent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The specification instructs storing sensitive or highly personal profile data, including home city, airport, child age, travel history, and special needs, without privacy warnings, sensitivity labeling, or safeguards. In a travel-assistant context, these details can enable profiling, inference about household composition, and unauthorized persistence beyond user expectations.

Session Persistence

Medium

Category: Rogue Agent
Content: 如果 `~/.flyai/` 目录不存在，需要先创建： ```bash mkdir -p ~/.flyai ``` ### 文件格式
Confidence: 90% confidence
Finding: mkdir -p ~/.flyai ``` ### 文件格式 ```markdown # FlyAI 用户旅行画像 > 最后更新: 2026-04-03 15:30 ## 基础信息 - 常驻城市: 杭州 - 出发机场: 萧山机场 ## 出行偏好 - 预算偏好: 中等(3000-8000/人) - 出行人数: 2人 - 家庭成员: 有小孩(3岁) - 偏好类型: 海岛、亲子、自然风光 -

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal