Back to skill

Security audit

一键抄作业

Security checks across malware telemetry and agentic risk

Overview

This travel-planning skill has a legitimate purpose, but it asks agents to weaken HTTPS protection and make broad host changes before using it.

Install only if you are comfortable with external travel-link fetching, FlyAI searches, generated booking links, and saved travel preferences. Do not run the suggested sudo/global install or any NODE_TLS_REJECT_UNAUTHORIZED=0 commands unless you knowingly accept the security tradeoff; prefer a pinned, user-level FlyAI CLI install with normal HTTPS validation enabled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (19)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill explicitly instructs operators to run FlyAI commands with `NODE_TLS_REJECT_UNAUTHORIZED=0`, which disables TLS certificate validation. This makes HTTPS connections vulnerable to man-in-the-middle interception or modification, especially dangerous here because the skill fetches external travel content and may process user itinerary and profile data.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The workflow explicitly sets NODE_TLS_REJECT_UNAUTHORIZED=0 for FlyAI network commands, which disables TLS certificate verification. This permits man-in-the-middle interception or tampering with flight, hotel, and POI query traffic, exposing user travel data and allowing falsified results to be returned.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill instructs a global npm install/upgrade of a CLI on the host before doing any work. Installing or upgrading tooling system-wide changes the user's environment, introduces supply-chain risk, and exceeds what should be a minimal-content-processing workflow for itinerary conversion.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The documentation explicitly instructs users to disable TLS certificate verification for all FlyAI commands by setting NODE_TLS_REJECT_UNAUTHORIZED=0. This removes server certificate validation and enables man-in-the-middle interception or tampering of travel search results and booking links, which is not justified by the itinerary-conversion purpose of the skill.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The documentation instructs operators to run a shell command with NODE_TLS_REJECT_UNAUTHORIZED=0, which disables TLS certificate validation for outbound connections. This creates a man-in-the-middle risk where search results or backend responses could be intercepted or tampered with, and the itinerary-conversion context does not require weakening transport security.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
This second workflow again normalizes disabling TLS verification before invoking a search tool, teaching an unsafe operational pattern rather than a necessary capability. Because the skill consumes external travel data, tampered responses could mislead bookings, alter hotel matches, or expose users to attacker-controlled content.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The guide explicitly instructs operators to disable TLS certificate verification for all FlyAI commands, which removes protection against man-in-the-middle attacks and spoofed endpoints. In this skill, those commands retrieve travel inventory and itinerary data from remote services, so tampered responses could mislead users, expose sensitive travel queries, or poison downstream booking recommendations.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The document defines cross-platform persistent storage of a user's travel profile, which exceeds the core purpose of converting shared travel攻略 links into bookable itineraries. This creates unnecessary collection and retention of personal preference data across sessions, expanding privacy risk and attack surface without a clear need tightly scoped to the skill's stated function.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The local file mode instructs the agent to store structured travel profile information under ~/.flyai/user-profile.md, enabling long-lived storage of personal data such as home city, family composition, and travel preferences on the user's machine. For this skill context, that persistence is not essential to processing a single攻略 link and can expose sensitive data to other local processes, backups, or later unintended reuse.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The Qoder Memory mode creates or updates a persistent user profile in long-term memory, allowing the skill to accumulate personal preference data beyond the immediate request. In an itinerary-copying skill, this is broader than necessary and risks hidden cross-session profiling, especially if users do not fully understand that preferences and family details may be retained indefinitely.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill states it will read and later save user profile data from memory or a local file, but it does not require explicit user notice or consent before accessing or persisting personal travel preferences. In this context, travel profile information can reveal location, habits, companions, and budget patterns, creating avoidable privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The skill encourages users to provide external platform links and states it will parse or fetch them, but it does not warn about third-party content retrieval, possible transmission of user-supplied URLs, or associated privacy/security implications. In a skill that processes social and travel links, this omission increases risk of unintended data exposure and unsafe handling of untrusted external content.

Missing User Warnings

High
Confidence
99% confidence
Finding
The markdown tells users to run a command that disables TLS verification without any safety warning or constrained exception case. Presenting insecure transport settings as routine guidance normalizes dangerous behavior and can lead directly to compromised network sessions and manipulated search results.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The workflow directs the agent to create an HTML file in the user's workspace without a clear prior consent or warning about writing files. Unannounced file creation can surprise users, overwrite expected workspace state, and persist content derived from untrusted URLs or OCR input that may later be opened in a browser.

Missing User Warnings

High
Confidence
99% confidence
Finding
The file tells users to bypass SSL certificate validation without clearly describing the security consequences. This normalizes an unsafe practice and can expose all API requests and responses to spoofing, interception, and modification by network attackers.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill encourages automatic fetching of third-party links without clearly warning users about privacy implications, external data access, or possible use of authenticated/session-based views. In this context, users may paste personal or semi-private travel links expecting simple parsing, while the system may perform network retrieval that affects privacy expectations and data handling.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The Browser Agent is instructed to open and scroll through a mobile page, which is a more invasive browsing action than simple content fetch, yet the doc does not say this behavior should be disclosed to the user. In a travel-link parsing skill, hidden browser-style interaction can surprise users, potentially touch login-gated content, and increase privacy and session-handling risk.

Missing User Warnings

High
Confidence
99% confidence
Finding
The document not only recommends disabling TLS verification globally for these commands, but also omits any meaningful warning about the resulting security exposure. That combination normalizes an insecure practice as standard operating procedure, increasing the chance that agents or developers will use untrusted network responses as if they were authentic.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document describes storing user travel profile data locally and in memory but does not include an explicit privacy notice, retention period, deletion method, or warning about the sensitivity of the information being stored. This omission increases the chance of uninformed consent and silent accumulation of personal data, particularly because the stored fields include potentially sensitive household and behavioral information.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.