Back to skill

Security audit

行李清单 Pro

Security checks across malware telemetry and agentic risk

Overview

This packing-list skill has a coherent travel purpose, but it asks the agent to install an unpinned global CLI and disable TLS certificate checks, so users should review it before use.

Install only if you trust the FlyAI CLI and are comfortable with a global npm package. Do not allow the agent to use sudo or disable TLS certificate validation; secure certificate validation should remain enabled. Review or delete any saved ~/.flyai/user-profile.md or memory entries if you do not want travel, budget, family, or preference details reused later.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill requires a global npm installation and upgrade of a CLI before performing a simple packing-list task, which is disproportionate to the stated functionality and modifies the host environment unnecessarily. Recommending repeated global installation, and even suggesting sudo, increases supply-chain and system-integrity risk if the package, registry path, or execution context is compromised.

Context-Inappropriate Capability

High
Confidence
100% confidence
Finding
The skill explicitly instructs setting NODE_TLS_REJECT_UNAUTHORIZED=0, which disables TLS certificate validation for outbound requests. This enables man-in-the-middle interception or tampering of network traffic, making any downloaded data or remote responses untrustworthy and dramatically increasing exposure beyond the packing-list use case.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The skill extends from generating packing lists into searching flights, hotels, and attractions, which broadens its operational scope beyond the manifest description. Scope creep increases the chance of unexpected tool invocation, data access, and user confusion about what capabilities are being exercised.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The document defines persistent collection and retention of user travel-profile data that exceeds what a packing-list generator needs to function in a single session. Persisting residence city, airport, family composition, travel history, and special needs creates unnecessary privacy and data minimization risk, especially if users are not clearly informed about retention scope and purpose.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The spec explicitly instructs writing user profile data to a local file in the user's home directory, creating durable storage of personal and travel-related information outside the immediate task. This broadens exposure to other local processes, shared accounts, backups, or accidental disclosure, and is not justified by the stated packing-list use case.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill tells the agent or user to run global installation and upgrade commands without clearly warning that they will modify the local machine. In this context, poor disclosure is security-relevant because the command changes system state and could normalize unsafe execution of unnecessary software.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill directs reading user memory and a local profile file at startup without clear, informed disclosure or consent. Accessing historical preferences and local files introduces privacy risk and violates least-privilege expectations for a packing-list generator, especially when done automatically.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The query parameter guidance is extremely permissive and accepts broad natural-language inputs across many travel domains without defining boundaries, allowed intents, or exclusion rules. In a skill that may automatically invoke search based on user phrases like packing or trip preparation, this can cause over-triggering, irrelevant searches, and unintended handling of sensitive or risky requests, expanding the attack surface for prompt manipulation and data misuse.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The storage design encourages saving potentially sensitive personal and travel information in memory systems and local files without meaningful privacy warnings, retention limits, or security guidance. Users may not understand that details like home city, child status, travel history, and preferences are being persisted beyond the current interaction.

Session Persistence

Medium
Category
Rogue Agent
Content
如果 `~/.flyai/` 目录不存在,需要先创建:
```bash
mkdir -p ~/.flyai
```

### 文件格式
Confidence
89% confidence
Finding
mkdir -p ~/.flyai ``` ### 文件格式 ```markdown # FlyAI 用户旅行画像 > 最后更新: 2026-04-03 15:30 ## 基础信息 - 常驻城市: 杭州 - 出发机场: 萧山机场 ## 出行偏好 - 预算偏好: 中等(3000-8000/人) - 出行人数: 2人 - 家庭成员: 有小孩(3岁) - 偏好类型: 海岛、亲子、自然风光 -

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.