旅行盲盒

Security checks across malware telemetry and agentic risk

Overview

This travel skill is mostly coherent, but it asks the agent to make risky system and network changes that users should review before installing.

Review the setup commands before use. Avoid allowing sudo installs, prefer a pinned or user-local FlyAI CLI, do not run commands with TLS verification disabled, and only save travel profile details if you are comfortable with them persisting in Memory or ~/.flyai/user-profile.md.

SkillSpector

By NVIDIA

Vulnerability Patterns

Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (19)

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The skill expands beyond simple travel-destination selection into persistent profiling by storing and reusing user travel history and preferences. This creates unnecessary collection and retention of personal data, increasing privacy risk and making the skill capable of behavior not clearly justified by its stated purpose.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The fallback to reading a local file introduces filesystem access unrelated to the core blind-box travel function. Local file access broadens the skill's authority and can expose sensitive user data or normalize unsafe access patterns, especially when the file path is predefined and silently consulted.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The referenced documentation defines a general-purpose semantic travel search capability covering hotels, attractions, flights, trains, and mixed recommendations, which materially exceeds the stated scope of a 'travel blind-box' destination randomizer. This scope mismatch can enable unintended tool use and data flows, causing the agent to perform broader booking/recommendation tasks than users or reviewers expect.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The examples and parameter description show end-to-end travel search and recommendation workflows, including itinerary, hotel, and flight selection, which are unrelated to a simple blind-box destination picker. In an agent setting, this increases the risk of capability overreach, where the skill can be repurposed to perform broader actions or recommendations outside its advertised function.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The document describes persistent memory, preference learning, and optimization behavior that goes beyond the stated role of a random travel-destination assistant. This expansion of capability increases privacy and governance risk because users may be profiled or have data retained without a clearly disclosed, scoped, and consented purpose.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The proactive-service section says the skill may anticipate needs and provide suggestions beyond user-triggered requests. For a skill intended to activate around explicit travel-blindbox prompts, this broader autonomous behavior can lead to unexpected data use, unsolicited recommendations, and operation outside the user's intent.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The document introduces persistent collection and retention of user travel-profile data across sessions, which is broader than what a travel blind-box skill minimally needs to produce a one-time random destination suggestion. This creates unnecessary accumulation of personal preference and family-context data, increasing privacy exposure and the blast radius if memory or local files are accessed by other tools, users, or processes.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The file-mode fallback instructs the agent to persist user profile information to ~/.flyai/user-profile.md on the local filesystem, which is unrelated to the core function of randomly selecting a destination. Local file persistence can expose sensitive travel and family information to other local users, backups, sync tools, or unrelated applications, especially without access-control guidance or encryption.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The template explicitly tells the skill to save newly discovered user preferences for future use, turning a single-purpose travel assistant into an ongoing profile-building system. Even though it includes a confirmation step, the guidance still normalizes broad preference retention beyond the manifest's stated scope and increases long-term privacy risk.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The workflow explicitly sets NODE_TLS_REJECT_UNAUTHORIZED=0 for travel search commands, which disables TLS certificate verification and permits man-in-the-middle interception or tampering of network responses. This capability is unnecessary for a travel-planning skill and increases risk because flight, hotel, and destination results could be silently altered or observed.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs the agent to read and update user profile data, including potential local file access, without clear user-facing notice about privacy, retention, or persistence. This undermines informed consent and can lead users to reveal or have stored personal travel history and preferences without understanding the consequences.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The preference-saving workflow persists user data to memory or local files but does not provide a clear warning about the effects of persistence. Users may not realize that preferences and travel history can be retained across sessions, creating privacy and profiling risks.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The documented query parameter accepts broad natural-language input across many travel categories without clear guardrails, allowlists, or scope restrictions. In an agent setting, this can lead to overly permissive tool invocation, ambiguous matching, or unintended searches that expand beyond the intended blindbox travel workflow, increasing the chance of data over-collection, policy bypass, or irrelevant external lookups.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The markdown states the skill will remember user parameters and learn preference patterns, but provides no notice about retention, review, or privacy implications. In a travel context, remembered cities, budgets, and timing can reveal sensitive lifestyle and location patterns, making undisclosed retention a meaningful privacy risk.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: Stating that failure cases are collected for analysis implies user interactions may be logged or reviewed, but the document gives no warning or boundaries on that collection. Without disclosure and minimization, diagnostic logging can capture personal travel constraints or other conversation content beyond what users expect.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The guidance describes storing detailed profile data in memory and local files but does not prominently provide a privacy notice, retention limits, sensitivity classification, or user-facing explanation of how long data is kept and where it is stored. That omission can lead to collection of personal and family-related data without informed consent, making misuse or overcollection more likely.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs a global npm install/upgrade and even suggests sudo without clearly warning that this modifies the host system and may run package lifecycle scripts with elevated privileges. In an agent context, encouraging unattended system-wide changes increases supply-chain and privilege-risk exposure beyond what is necessary for answering a travel request.

Missing User Warnings

High

Confidence: 99% confidence
Finding: Disabling TLS verification without an explicit warning is a real security issue because it normalizes insecure transport for multiple network operations. This makes it easier for an attacker on the network path to spoof travel service responses, inject false data, or capture sensitive query details.

Session Persistence

Medium

Category: Rogue Agent
Content: 如果 `~/.flyai/` 目录不存在，需要先创建： ```bash mkdir -p ~/.flyai ``` ### 文件格式
Confidence: 90% confidence
Finding: mkdir -p ~/.flyai ``` ### 文件格式 ```markdown # FlyAI 用户旅行画像 > 最后更新: 2026-04-03 15:30 ## 基础信息 - 常驻城市: 杭州 - 出发机场: 萧山机场 ## 出行偏好 - 预算偏好: 中等(3000-8000/人) - 出行人数: 2人 - 家庭成员: 有小孩(3岁) - 偏好类型: 海岛、亲子、自然风光 -

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal