周末去哪儿

Security checks across malware telemetry and agentic risk

Overview

The travel-planning skill is mostly coherent, but it asks users to make unsafe system and network changes before using it.

Review before installing. Do not run the sudo install path, avoid automatic global @latest upgrades, keep TLS verification enabled, and only save a travel profile if you are comfortable retaining those personal details.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The document instructs the skill to persist detailed travel-profile data across sessions using either platform memory or a local file, even though the skill is described as a one-shot weekend itinerary generator. This creates unnecessary collection and retention of personal preference/history data, expanding privacy risk and attack surface beyond what is needed for the stated functionality.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The guidance adds long-term history retention and profile updating for fields such as home city, family composition, budget, and prior destinations, which are not necessary to generate a single weekend-trip plan. Retaining this behavioral profile can expose sensitive personal context over time and enable broader tracking or misuse if the memory/file is accessed by other components or users.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The workflow explicitly instructs operators to disable TLS certificate verification with NODE_TLS_REJECT_UNAUTHORIZED=0 when SSL errors occur. This defeats server identity validation and exposes all FlyAI CLI traffic in that process to man-in-the-middle interception or tampering, which is especially dangerous because the skill is retrieving travel data over the network.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The workflow mandates a global npm install/upgrade of a CLI before use, creating a supply-chain and system-modification risk path in the normal execution flow. While installing a package is sometimes legitimate, forcing a latest-version global install from the shell increases exposure to compromised packages, unexpected breaking changes, and broad host impact.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger phrases are broad travel-intent terms such as '周末去哪' and '周末出游', which can match many ordinary conversations and cause the skill to activate in situations where the user did not explicitly ask for this workflow. Over-broad activation can lead to unnecessary tool use, collection of travel preferences, and reading of stored profile data without sufficiently clear user intent.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The file describes storing personal travel-profile data in persistent memory and local files but does not provide a clear, prominent privacy notice, retention period, or user-control policy in the primary specification. As a result, implementers may silently save user data without informed consent or clear limits on how long it remains stored.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The workflow recommends system-wide installation and even suggests sudo for permission issues without warning about elevated privilege and persistence risks. This can cause unintended host changes and magnify the impact of a malicious or compromised package, especially on shared or production systems.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The workflow tells users to bypass TLS certificate verification as a troubleshooting step and provides no warning about the security consequences. That omission normalizes an unsafe practice and materially increases the chance that users will run network commands with transport protections disabled.

Ssd 2

High

Confidence: 98% confidence
Finding: This is another representation of the same TLS-bypass behavior: instructing users to suppress certificate validation as a workaround. Because the skill is centered on command execution against online services, this context makes the issue more dangerous by inviting insecure network use during routine operation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal