Security audit

同城不同价

Security checks across malware telemetry and agentic risk

Overview

This travel-price skill is mostly coherent, but its instructions include risky setup and network practices that users should review before installing.

Install only after reviewing the workflow. Do not let the agent run sudo or automatically install an unpinned global CLI; use a verified, pinned CLI if needed. Remove the TLS-bypass setting before use, and decide whether you are comfortable storing travel preferences in Memory or ~/.flyai/user-profile.md.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence

Findings (17)

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The skill’s declared purpose is multi-airport airfare comparison, but it instructs the agent to also fetch hotel and attraction booking links. That broadens tool usage and user redirection beyond the stated scope, increasing the chance of unnecessary data access, affiliate-style steering, or actions the user did not request. In a travel context this is not inherently malicious, but it is a real scope-expansion risk.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: Documenting hotel and attraction search capability without justification in an airport price-comparison skill creates unjustified privilege and feature creep. This mismatch between stated purpose and implemented guidance can be exploited to nudge users into unrelated bookings or invoke extra tools that are not needed for the requested task. The contextual mismatch makes the behavior more suspicious because these capabilities are orthogonal to finding the cheapest departure airport.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The referenced documentation describes a generic AI travel search interface covering hotels, attractions, flights, trains, and mixed-intent trip planning, which is materially broader than the skill's stated purpose of multi-airport fare comparison. This mismatch can cause the skill to be invoked for unrelated travel tasks, expanding data access and behavior beyond user expectations and weakening least-privilege boundaries.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The documentation exposes itinerary, hotel, attraction, and train search capabilities that are not necessary for comparing nearby departure airports. Unnecessary capability exposure increases the chance of overbroad invocation, unintended data processing, and agent misuse where the skill becomes a general travel planner instead of a constrained fare-comparison tool.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The referenced documentation describes a Marriott hotel search capability, which does not match the declared skill purpose of multi-airport fare comparison. This kind of skill/documentation mismatch is dangerous because an agent or operator may invoke the wrong tool, request the wrong parameters, or expose unrelated capabilities and data flows under a misleading interface, increasing the risk of unsafe automation and policy bypass.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The document defines persistent collection and storage of user travel-profile data across sessions using either platform memory or a local file, even though the skill’s stated purpose is multi-airport price comparison. This expands data access and retention beyond what is necessary for the core function, creating avoidable privacy risk and a broader attack surface if the stored profile is later exposed, overused, or accessed by other skills/components.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The workflow mandates a global install/upgrade of an external CLI before performing the skill, which exceeds the minimum capability needed for a flight-comparison workflow and modifies the host system state. Requiring broad package installation increases supply-chain and persistence risk, especially because it happens unconditionally rather than using a pinned, isolated, least-privilege execution path.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The workflow explicitly recommends using sudo for global npm installation, which introduces privileged execution unrelated to comparing flight prices. Running package installation as root significantly increases the blast radius of a compromised package, typo-squatted dependency, or install script and can lead to full system compromise.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: Setting NODE_TLS_REJECT_UNAUTHORIZED=0 disables TLS certificate validation for flight searches, allowing man-in-the-middle interception or tampering with supposedly secure network traffic. In a travel-booking context this is especially dangerous because search results and returned URLs could be altered, leading to phishing, data exposure, or manipulated booking outcomes.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The parameter documentation allows a full natural-language query with complex mixed travel intent but does not define what should or should not activate this skill. In this context, that makes routing overly permissive and can cause the skill to process broad travel-planning requests unrelated to multi-airport comparison, undermining scope control.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The document explicitly says the skill will remember user parameters, learn preference patterns, and accumulate cases, but provides no limits on what is stored, how long it is retained, or whether users consent to this profiling. In a travel-pricing skill, these data points can reveal location habits, budget sensitivity, and behavioral patterns, creating privacy and profiling risk even if no obviously sensitive data is mentioned.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill describes proactively surfacing information and predicting the user's next needs without any guardrails or disclosure about behavioral inference. This can lead to opaque profiling and autonomy concerns, especially in a system that analyzes travel intent and may influence user decisions based on inferred preferences the user did not knowingly provide.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The spec instructs reading and writing persistent personal travel data to Qoder Memory or a local file but provides no privacy notice, retention policy, consent language, or warning about cross-session persistence. Users may unknowingly disclose sensitive lifestyle and family information that is then stored indefinitely, which is a security and privacy issue even if no exploit code is present.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The workflow instructs system-wide CLI installation and even privileged installation paths without warning about package-install scripts, PATH changes, or host modification risk. Omitting those warnings makes unsafe operation more likely and normalizes high-risk behavior for a routine travel-search task.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The workflow disables TLS verification with no warning, which is an unsafe default and not an acceptable workaround for routine network operations. Users or agents following this instruction may unknowingly trust forged certificates and consume attacker-controlled flight data or links.

Ssd 3

Medium

Confidence: 84% confidence
Finding: The workflow requires always extracting and surfacing jumpUrl values from API responses without any minimization, validation, or consent checks. In a booking context, such URLs may embed tracking tokens, session-bound parameters, or user-specific booking artifacts, and blindly exposing them can leak sensitive data or redirect users to untrusted destinations if the upstream response is manipulated.

Session Persistence

Medium

Category: Rogue Agent
Content: 如果 `~/.flyai/` 目录不存在，需要先创建： ```bash mkdir -p ~/.flyai ``` ### 文件格式
Confidence: 88% confidence
Finding: mkdir -p ~/.flyai ``` ### 文件格式 ```markdown # FlyAI 用户旅行画像 > 最后更新: 2026-04-03 15:30 ## 基础信息 - 常驻城市: 杭州 - 出发机场: 萧山机场 ## 出行偏好 - 预算偏好: 中等(3000-8000/人) - 出行人数: 2人 - 家庭成员: 有小孩(3岁) - 偏好类型: 海岛、亲子、自然风光 -

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.