Security audit

旅伴匹配度报告

Security checks across malware telemetry and agentic risk

Overview

This travel matching skill is not clearly malicious, but it asks for broad travel-search authority, persistent personal-profile use, a global CLI install, and an unsafe TLS workaround that users should review before installing.

Install only if you are comfortable with a travel skill reading or saving personal travel preferences and sending travel search details to FlyAI/Fliggy-style services. Before use, avoid disabling TLS verification, approve any global npm install manually, do not treat booking links as purchase approval, and review or delete ~/.flyai/user-profile.md if you do not want persistent travel-profile data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (18)

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The skill introduces self-growth and user preference persistence features that are not necessary for producing a one-time travel-companion compatibility report. Expanding scope to memory and adaptive behavior increases data collection and retention risk, especially because the skill processes relationship/travel preference information that may be sensitive in context.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: Adding flight, train, and Marriott package search goes beyond the declared companion-matching purpose and broadens the skill into booking and commercial recommendation workflows. This increases the attack surface, raises the chance of unintended transactions or steering, and weakens least-privilege boundaries for the agent.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The reference file exposes a broad AI travel search capability that goes beyond the skill’s declared purpose of companion-compatibility testing. This kind of scope expansion can enable unintended actions or data access paths, increasing the chance the skill is invoked for unrelated travel planning tasks and weakening least-privilege boundaries.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: Documenting flight and train search in a skill meant for travel-companion matching introduces unrelated capabilities that could be misused for broader itinerary planning. Even without explicit exploit code, unnecessary transport-search scope increases attack surface and creates a mismatch between user expectations, approval boundaries, and actual accessible functionality.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The document defines broad, cross-platform persistent storage of detailed travel-profile data, which goes beyond the narrow purpose of generating a one-time companion matching report. This expands data collection and retention scope without clear necessity, increasing privacy risk and the attack surface if the profile is reused or exposed.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The skill introduces local file persistence at ~/.flyai/user-profile.md for personal travel preferences and household details, but this storage is not clearly justified by the stated matching-report function. Writing sensitive preference data to a predictable local path can expose it to other tools, users, backups, or later prompts, especially on shared or lightly secured systems.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The workflow requires a global npm install/upgrade of the FlyAI CLI before performing the skill, which expands the skill's effective privileges and modifies the host environment beyond what a travel matching questionnaire needs. In a skill context, instructing package installation creates supply-chain and environment-modification risk, especially when the action is presented as mandatory rather than optional and minimally scoped.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The workflow explicitly recommends disabling TLS certificate verification via NODE_TLS_REJECT_UNAUTHORIZED=0 to work around SSL failures. This enables man-in-the-middle interception and tampering of API traffic, credentials, and returned travel data, which is especially unsafe because the skill handles searches and potentially booking links.

Vague Triggers

Medium

Confidence: 72% confidence
Finding: The trigger phrases are broad and ambiguous, which can cause the skill to activate for loosely related conversations such as general travel conflict or companion discussions. Unintended invocation can lead to unnecessary data collection, off-scope recommendations, and unexpected external-link generation.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The skill advertises one-click booking links without clearly warning users that responses may direct them to external action or transaction pages. This creates a risk of deceptive UX and insufficient user awareness before leaving the conversational context or initiating commercial flows.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The documentation mandates displaying booking links whenever available but does not provide any user warning about external navigation, third-party handling, or possible transaction consequences. Because the behavior is mandatory, the omission is more dangerous than a mere UI preference issue.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The file explicitly says the skill will remember user travel preferences, learn from feedback, and collect successful cases, but it provides no limits on retention, no consent mechanism, and no privacy notice. In a travel-companion matching context, these preferences and conflict-resolution histories can reveal sensitive behavioral and interpersonal data, making silent persistence and reuse a real privacy risk.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The document describes storing user profile information in persistent memory and local files without an explicit privacy notice, retention warning, or consent flow at the point of storage design. Because the stored fields include location, budget, family composition, and special needs, silent persistence can surprise users and create meaningful privacy and compliance risk.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill directs reading a local persistent profile file from ~/.flyai/user-profile.md without any explicit consent prompt, visibility notice, or privacy warning to the user. Because this is a travel-companion matching skill, silently accessing local profile data is not strictly necessary and increases the chance of over-collection or unexpected disclosure of sensitive personal preferences.

Missing User Warnings

High

Confidence: 98% confidence
Finding: Recommending TLS verification disablement without a prominent safety warning normalizes an insecure troubleshooting practice. Users may copy the command broadly, exposing subsequent FlyAI or Node-based traffic to interception and making the skill materially more dangerous than its benign travel-planning purpose suggests.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The workflow instructs the skill to retrieve persistent user profile data from memory or a local file and automatically use it to fill travel questionnaire fields, but it does not define minimization, consent, retention, or confirmation guardrails. In this context, the data includes travel habits and preferences that can reveal behavioral patterns, and auto-filling them may surprise users or propagate stale sensitive data into the report.

Ssd 3

Medium

Confidence: 81% confidence
Finding: The report template encourages producing and sharing a detailed compatibility report that includes individual preferences, conflict patterns, spending attitudes, and suggested sharing with a travel companion. While this may be functional for the feature, it creates privacy risk because one person's profile may be disclosed to another or to third parties without explicit consent and without guidance on redaction or scope.

Session Persistence

Medium

Category: Rogue Agent
Content: 如果 `~/.flyai/` 目录不存在，需要先创建： ```bash mkdir -p ~/.flyai ``` ### 文件格式
Confidence: 89% confidence
Finding: mkdir -p ~/.flyai ``` ### 文件格式 ```markdown # FlyAI 用户旅行画像 > 最后更新: 2026-04-03 15:30 ## 基础信息 - 常驻城市: 杭州 - 出发机场: 萧山机场 ## 出行偏好 - 预算偏好: 中等(3000-8000/人) - 出行人数: 2人 - 家庭成员: 有小孩(3岁) - 偏好类型: 海岛、亲子、自然风光 -

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.