ClawHub
Back to skill

Security audit

目的地 PK 台

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent travel comparison assistant, but it gives unsafe setup and troubleshooting instructions that can weaken the user's machine and network security.

Install only if you are comfortable reviewing the FlyAI CLI setup yourself. Avoid sudo, prefer a pinned local or sandboxed install, and do not use NODE_TLS_REJECT_UNAUTHORIZED=0. Review or delete ~/.flyai/user-profile.md and any saved memory if you do not want travel preferences, budget, family details, or accessibility needs reused across sessions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The referenced documentation exposes a broad semantic travel search capability spanning hotels, attractions, flights, trains, and mixed-intent trip planning, while the declared skill purpose is narrowly framed as destination comparison/PK. This mismatch can enable the agent to invoke a much wider tool surface than users or reviewers expect, increasing the risk of scope creep, unintended data access, and policy bypass through loosely related travel queries.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The workflow explicitly instructs users to disable TLS certificate validation with NODE_TLS_REJECT_UNAUTHORIZED=0 when SSL errors occur. This defeats HTTPS trust checks and enables man-in-the-middle interception or tampering of flight-search traffic, credentials, or returned data. In this skill context, the instruction is especially dangerous because it is presented as a normal troubleshooting step for routine CLI usage.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill requires a global npm install/upgrade of an external CLI as a prerequisite before searches, increasing supply-chain and system-modification risk. Forcing latest-version installation from the network can introduce unreviewed code changes and broad host impact, especially when done globally rather than in an isolated environment.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The document defines persistent cross-platform storage of detailed travel profile data for a skill whose stated purpose is destination comparison, creating a capability/function mismatch. This expands data collection and retention beyond what is necessary for the immediate task, increasing privacy and misuse risk if the skill stores sensitive preference or family information long-term.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This section operationalizes long-term memory and local file persistence, including reads and writes of structured user profile data, without establishing strong necessity for destination-PK functionality. The combination of durable storage and profile enrichment can enable silent accumulation of personal data such as city, budget, children, and special needs across sessions.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The instructions prioritize reading and writing Qoder Memory for a '用户旅行画像', which grants the skill durable user-data management capabilities beyond simple destination comparison. In a conversational travel context, that creates a realistic risk of over-collection and cross-session profiling without sufficient user awareness or tight purpose limitation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill is designed to read user profile data automatically at startup from memory or a local file without an explicit user-facing notice or just-in-time consent. This creates a privacy risk because personal preference data may be accessed unexpectedly, and the fallback to reading a local file increases sensitivity by touching potentially broader local profile content.

Vague Triggers

Low
Confidence
75% confidence
Finding
The ai-search reference describes a required free-form natural-language query but does not define operational boundaries for when the skill may be invoked or what requests are out of scope. In an agent setting, underspecified invocation scope can cause over-broad tool use, where general travel planning requests are routed into this skill despite its stated destination-comparison purpose.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The markdown directs users to run a global npm install and even suggests sudo without clearly warning that this changes the host system and executes third-party package code with elevated privileges. In a skill workflow, normalizing such commands can lead users to make risky system-wide changes without understanding the security implications.

Missing User Warnings

High
Confidence
99% confidence
Finding
The markdown recommends disabling TLS certificate verification as a troubleshooting step and does so without emphasizing the severe security consequences. This can train users to bypass core transport security controls, exposing any subsequent CLI communication to interception and tampering.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document describes storing user profiles in Qoder Memory and local files but does not provide a clear privacy notice about persistence, local disk storage, or the sensitivity of fields like family composition and special needs. Users may reasonably believe they are only getting a one-time destination comparison, not creating a persistent profile across tools and environments.

Ssd 2

High
Confidence
99% confidence
Finding
The instruction to set NODE_TLS_REJECT_UNAUTHORIZED=0 disables certificate validation for Node-based requests, creating an unsafe default for CLI execution. This materially weakens transport security and can allow attackers on the network path or behind a malicious proxy to impersonate endpoints and alter results or harvest sensitive data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal