Security audit

平替旅行家

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent travel-planning helper, but it tells agents to install unpinned global CLI packages, possibly with sudo, and disables TLS checks for routine searches.

Review this carefully before installing. Do not allow sudo, global npm installs, npx @latest execution, registry changes, or NODE_TLS_REJECT_UNAUTHORIZED=0 unless you explicitly accept those risks. If you use the skill, avoid saving sensitive family, budget, or special-needs details unless you want them persisted, and periodically review or delete ~/.flyai/user-profile.md or related memory entries.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence

Findings (16)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill introduces persistent memory and profile retention that exceed the immediate need of recommending substitute destinations. Storing user preferences and history creates avoidable privacy and data-retention risk, especially if users are not clearly informed, given opt-in consent, or provided deletion controls.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: Documenting direct local file reads and writes for user profiles gives the skill unnecessary filesystem access relative to its travel recommendation purpose. This expands the attack surface and risks unauthorized access, modification, or exposure of local user data beyond the requested task.

Context-Inappropriate Capability

Medium

Confidence: 85% confidence
Finding: Advertising autonomous self-learning and continuous growth signals behavior outside the declared bounded recommendation workflow. In practice, this can justify unreviewed state changes, hidden retention, or adaptive behavior that is hard for users and operators to audit.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The instruction to set NODE_TLS_REJECT_UNAUTHORIZED=0 disables TLS certificate verification, enabling man-in-the-middle attacks and defeating transport security. This is unrelated to destination substitution and is especially dangerous because it normalizes bypassing a core security control during network operations.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The reference file documents Marriott hotel search behavior, which is materially unrelated to the skill's declared purpose of recommending cheaper substitute destinations. This kind of capability/documentation mismatch can cause an agent to invoke the wrong tool, produce misleading travel advice, or expose users to unintended booking-oriented workflows instead of the expected destination-substitution logic.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The document instructs the skill to collect and persist a fairly detailed travel profile across sessions, including city, airport, budget, family composition, travel history, and special needs. For a destination-substitution skill, this exceeds what is clearly necessary for the immediate task and creates unnecessary privacy and surveillance risk if stored long-term.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The cross-platform design normalizes persistent storage of detailed user profiles in both memory and local files without clearly justifying why this skill needs long-term profile retention. Broad persistence increases exposure surface across environments and can leak personal preference and household information beyond the original interaction.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The workflow explicitly sets NODE_TLS_REJECT_UNAUTHORIZED=0 for all FlyAI network searches, which disables TLS certificate verification and allows man-in-the-middle interception or tampering of flight, hotel, and destination queries. In a travel-planning skill, there is no legitimate need to weaken transport security this way, so the skill context makes this more dangerous rather than less because it normalizes insecure defaults for routine network operations.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The workflow requires a global npm install/upgrade of a CLI before performing the travel task, causing system-wide package modification unrelated to recommending substitute destinations. This expands the skill's operational scope and increases supply-chain and host-integrity risk, especially because users are told to always upgrade to the latest version rather than a pinned, reviewed release.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The document explicitly says it will remember user parameters, learn preference patterns, and accumulate successful cases, but provides no notice about what data is retained, how long it is stored, or whether the user can opt out. In a travel recommendation context, these preferences can reveal sensitive behavioral and location information, creating privacy and profiling risks if collected or reused without transparency and consent.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill states it will proactively provide information and predict the user's next needs, which implies monitoring behavior and performing inference on user activity without any disclosure or consent language. Even in a benign travel assistant, this can feel covert and may lead to overcollection, unwanted profiling, or unexpected use of personal context.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The file describes storing persistent user profile data but provides no explicit privacy notice, retention policy, or warning about local storage and cross-session reuse. Users may not understand that personal details are being saved beyond the current request, which raises consent and compliance concerns.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The markdown instructs users to run a global npm install and suggests sudo for permission issues without clearly warning about the risks of elevated, system-wide package installation. This can lead users to execute unreviewed package-management actions as root, magnifying the consequences of a compromised package or typo-squatted dependency.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The search commands disable TLS verification but provide no warning about the security implications, encouraging unsafe copy-paste execution. This is dangerous because users may adopt the pattern broadly, enabling interception and tampering of all subsequent FlyAI network traffic.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The instructions explicitly retain user preferences and history, creating a natural-language privacy risk beyond what is needed to answer a single travel query. This increases the chance of collecting sensitive profile data over time without clear necessity, consent, or lifecycle controls.

Session Persistence

Medium

Category: Rogue Agent
Content: 如果 `~/.flyai/` 目录不存在，需要先创建： ```bash mkdir -p ~/.flyai ``` ### 文件格式
Confidence: 90% confidence
Finding: mkdir -p ~/.flyai ``` ### 文件格式 ```markdown # FlyAI 用户旅行画像 > 最后更新: 2026-04-03 15:30 ## 基础信息 - 常驻城市: 杭州 - 出发机场: 萧山机场 ## 出行偏好 - 预算偏好: 中等(3000-8000/人) - 出行人数: 2人 - 家庭成员: 有小孩(3岁) - 偏好类型: 海岛、亲子、自然风光 -

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.