ClawHub
Back to skill

Security audit

极限出发

Security checks across malware telemetry and agentic risk

Overview

This travel skill is mostly coherent, but it asks agents to install an unpinned global CLI, bypass TLS checks, and persist detailed travel profile data.

Review before installing. Only allow the CLI install if you trust the package, avoid sudo and unpinned latest installs, do not run searches with TLS verification disabled, and store travel preferences only if you are comfortable keeping that profile in memory or a plaintext local file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (12)

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The referenced documentation describes Marriott package search behavior, which is materially different from the skill’s declared instant-departure flight discovery purpose. This kind of capability mismatch can cause the agent to invoke the wrong tool or return irrelevant travel products, leading to unsafe automation decisions, misleading bookings, and erosion of trust in downstream travel actions.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The reference file documents a train-search capability, while the skill is described as an instant flight departure assistant that should surface flights, hotels, and attractions. This mismatch can cause the agent to invoke the wrong tool or reason from incorrect capability assumptions, leading to misleading travel recommendations, failed bookings, or disclosure of irrelevant transportation results in a time-sensitive travel workflow.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The document defines a cross-platform persistent user-profile storage system for travel preferences and history, which goes beyond the stated purpose of an instant-departure flight search helper. This creates unnecessary collection and retention of personal data, expanding privacy risk and attack surface without clear necessity for the skill’s core function.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The write path explicitly instructs the skill to persist user preference data to Qoder Memory, including travel-related personal information, without establishing a strong purpose limitation tied to instant-departure search. Persistent writes can expose sensitive preference data across sessions or tools and create privacy and compliance issues if the user did not clearly consent.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The local-file mode stores a detailed travel profile in ~/.flyai/user-profile.md, including home city, airport, budget, family composition, travel history, and special needs. Keeping this detailed personal data in a predictable plaintext file materially increases privacy exposure, especially on shared or compromised systems, and is unrelated to the narrow task of finding immediate departure options.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The workflow explicitly instructs operators to disable TLS certificate verification with NODE_TLS_REJECT_UNAUTHORIZED=0 when FlyAI encounters certificate errors. This removes HTTPS server identity checks and enables man-in-the-middle interception or tampering of flight, hotel, and booking-link responses, which is especially risky because the skill later relies on returned jumpUrl values for user-facing booking actions.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill requires a global npm install/upgrade of a CLI before performing its travel-search function, expanding its capabilities into software installation and execution on the host. Installing the latest package at runtime increases supply-chain and environment-modification risk, especially because it uses a mutable 'latest' tag and affects the global system state.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases include very broad everyday expressions such as '今天能去哪', '马上出发', and '突然想走', which can overlap with ordinary conversation and cause the skill to activate when the user did not intend to invoke travel booking behavior. In a skill that performs search, planning, and potentially booking-oriented actions, overbroad activation increases the chance of unintended tool use, privacy exposure from reading travel preferences, and user confusion.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The example explicitly shows external search, booking actions, and booking links, but gives no indication that user trip details may be transmitted to third-party flight, hotel, or attraction services. This creates a transparency and privacy-consent gap: users may reveal location, timing, budget, and travel plans without understanding that external providers could receive that data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document describes collecting and persisting detailed user travel-profile data but does not provide a clear privacy notice, data-retention policy, or warning about the implications of local and cross-session storage. This omission increases the likelihood that users or integrators will store sensitive personal data without informed consent or adequate safeguards.

Missing User Warnings

High
Confidence
98% confidence
Finding
The documentation normalizes bypassing TLS verification without a strong warning or compensating controls. Presenting this as routine troubleshooting encourages unsafe operation and can expose users to spoofed endpoints, altered search results, and malicious booking links in a context involving travel purchases.

Session Persistence

Medium
Category
Rogue Agent
Content
如果 `~/.flyai/` 目录不存在,需要先创建:
```bash
mkdir -p ~/.flyai
```

### 文件格式
Confidence
91% confidence
Finding
mkdir -p ~/.flyai ``` ### 文件格式 ```markdown # FlyAI 用户旅行画像 > 最后更新: 2026-04-03 15:30 ## 基础信息 - 常驻城市: 杭州 - 出发机场: 萧山机场 ## 出行偏好 - 预算偏好: 中等(3000-8000/人) - 出行人数: 2人 - 家庭成员: 有小孩(3岁) - 偏好类型: 海岛、亲子、自然风光 -

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.