Back to skill

Security audit

带谁去哪

Security checks across malware telemetry and agentic risk

Overview

This travel recommendation skill is mostly coherent, but it asks the agent to change the local system and weaken HTTPS security before doing ordinary travel searches.

Install only after reviewing the FlyAI CLI requirement. Do not allow sudo installs or NODE_TLS_REJECT_UNAUTHORIZED=0 TLS bypasses for routine travel searches. Check what profile data may be read or saved in memory or ~/.flyai/user-profile.md, and use the skill only if you are comfortable with that personalization data being reused across sessions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The skill requires a global npm install/upgrade of FlyAI CLI before use, which modifies the host environment and introduces code execution from the network that is not necessary for a destination-recommendation workflow. In this context, forcing installation of external software expands the attack surface and could expose users to supply-chain compromise or unintended system changes.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
The instruction to set NODE_TLS_REJECT_UNAUTHORIZED=0 disables TLS certificate validation, making HTTPS connections vulnerable to man-in-the-middle interception and tampering. This is especially dangerous because the skill performs network searches and treats insecure transport bypass as a normal troubleshooting path despite having no legitimate need to weaken transport security.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill expands into flight and train search capabilities beyond its stated purpose of companion-based attraction recommendation, creating scope creep and increasing the chance of unnecessary external actions and data handling. While not as severe as direct code execution or TLS bypass, this unjustified capability broadening can lead to over-privileged behavior and user confusion about what the skill is authorized to do.

Intent-Code Divergence

Medium
Confidence
78% confidence
Finding
The documentation states the skill mainly uses search-poi and search-hotel, but later introduces search-flight and search-train, creating a capability mismatch between declared and actual behavior. This inconsistency weakens user trust and reviewability because operators may approve the skill for a narrower scope than it actually attempts to exercise.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The document defines persistent storage of detailed travel-profile data across sessions and even across skills, including local filesystem writes and memory updates, but the skill’s stated purpose is only companion-based destination/attraction matching. This creates unnecessary collection and retention of personal preference data, increasing privacy risk and widening the skill’s scope beyond what users would reasonably expect.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The SKILL.md template instructs the agent to save broad user profile attributes such as city, airport, budget, family composition, lodging preferences, and historical destinations, which substantially exceeds the advertised function of recommending attractions suitable for companions. This mismatch can lead to overcollection of personal data under a narrower user expectation, creating a privacy and trust boundary violation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs users to run a global install/upgrade command without clearly warning that it changes the local environment and may require elevated privileges. In a user-facing skill, omitting explicit consent and risk disclosure can lead to unintended system modification and unsafe acceptance of privileged commands.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill recommends disabling TLS certificate checks without a strong security warning, normalizing a dangerous practice that undermines secure network communication. Because users may copy and reuse such instructions, the harm extends beyond this single skill interaction and can expose traffic to interception or manipulation.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill reads user profile data from memory or a local file path without clearly notifying the user that personal local data may be accessed. In a travel assistant context, silent access to stored profile information can expose sensitive preferences or personal details beyond what the user intended to share in the current session.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file specifies storing detailed personal profile data both locally and in memory, but it does not present a clear privacy notice, retention policy, access model, or user-facing warning before persistence occurs. Even though a later template mentions asking for confirmation when discovering new preferences, the storage design itself normalizes persistence without sufficient transparency or safeguards.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.