ClawHub
Back to skill

Security audit

旅行灵感聊天

Security checks across malware telemetry and agentic risk

Overview

This travel-planning skill is mostly aligned with its purpose, but it needs review because it normalizes insecure network commands, global CLI installation, and persistent travel-profile storage.

Review before installing. Do not allow the skill to disable HTTPS certificate checks, run sudo npm installs, or globally upgrade an unpinned CLI unless you understand and accept the risk. Decide whether you want travel preferences stored in Qoder Memory or ~/.flyai/user-profile.md, and avoid saving sensitive family, budget, accessibility, or trip-history details unless needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (23)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill explicitly instructs operators to disable TLS certificate verification by setting NODE_TLS_REJECT_UNAUTHORIZED=0 when SSL errors occur. This removes protection against man-in-the-middle attacks and allows the agent to trust spoofed endpoints, which is especially dangerous in a tool that fetches live travel content and may process personal preference data.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The workflow instructs the agent or user to globally install/upgrade a CLI before performing travel searches, and even suggests using sudo for permission issues. That expands the skill from travel planning into software installation and privilege-affecting system changes, increasing supply-chain and host-compromise risk if the package, registry path, or execution environment is untrusted.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The command explicitly sets NODE_TLS_REJECT_UNAUTHORIZED=0, disabling TLS certificate verification for a networked search. This allows man-in-the-middle interception or tampering with travel queries and returned results, which is especially risky because user travel preferences and potentially identifying itinerary data are transmitted.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The workflow repeats the TLS-bypass pattern across flight, hotel, and POI searches, normalizing insecure network access for multiple user-data flows. This broadens exposure from one query to full itinerary construction, making interception, response manipulation, and privacy compromise significantly more damaging in the travel-assistant context.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The document explicitly instructs users to set NODE_TLS_REJECT_UNAUTHORIZED=0, which disables TLS certificate validation for FlyAI commands. This permits man-in-the-middle interception of API traffic, exposing travel queries and potentially any session tokens or sensitive data, and it normalizes an insecure workaround as standard usage.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The document explicitly instructs operators to run all FlyAI commands with NODE_TLS_REJECT_UNAUTHORIZED=0, which disables TLS certificate verification globally for those requests. This enables man-in-the-middle attacks and silent interception or modification of flight, hotel, visa, and booking-related traffic, which is unjustified for a travel-planning skill and especially risky because it is presented as a blanket requirement.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The document expands a travel-planning skill into persistent cross-session user profiling across platforms, which materially increases data collection and retention beyond a simple interactive planning function. Even if framed as personalization, this creates privacy and scope-creep risk because sensitive travel habits, family details, and location data may be stored and reused without clear minimization or explicit consent boundaries.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The file instructs the agent to create and update a profile file under the user's home directory, enabling durable local storage of personal data such as city, family composition, travel history, and special needs. This is dangerous because it writes plaintext personal information outside the immediate conversation context, potentially without platform-level safeguards, user awareness, access controls, or lifecycle management.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill says it reads, remembers, and updates user preferences and profile data, but does not provide a clear privacy notice, retention policy, or meaningful consent flow. In context, the data includes travel habits, departure city, companions, and persona preferences, so silent collection and reuse increases privacy risk and the chance of inappropriate cross-session disclosure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documented fallback behavior reads a local file from ~/.flyai/user-profile.md without presenting a clear warning or consent mechanism to the user. Accessing local profile data automatically broadens the skill's reach into stored personal information and can expose data the user did not expect this conversation to use.

Missing User Warnings

High
Confidence
98% confidence
Finding
The markdown not only disables TLS verification but also omits any warning that doing so makes the connection insecure. Users and downstream agents may unknowingly send travel-related data over a channel vulnerable to interception and tampering, increasing the chance of silent compromise.

Missing User Warnings

High
Confidence
99% confidence
Finding
Multiple insecure search commands are presented as standard workflow without disclosing the privacy and integrity consequences. Because flight, hotel, destination, and date information can reveal sensitive travel plans, the omission materially increases user risk in this skill context rather than being a harmless documentation issue.

Missing User Warnings

High
Confidence
98% confidence
Finding
The markdown tells users to bypass SSL verification without giving an adequate security warning or limiting the advice to a tightly controlled debugging context. In a travel assistant context, users are likely to treat command examples as safe defaults, which increases the chance of broad insecure use and interception of network traffic.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill documents persistent storage of detailed travel-profile data such as departure city, companions, preferences, budget, lodging, and destination history, but it does not require any user-facing notice, consent, or retention disclosure. This creates a privacy risk because users may unknowingly provide personal profile information that is stored and reused across sessions, enabling unintended profiling or over-collection.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documented default behavior automatically reads previously stored memory on skill startup unless the user explicitly asks to ignore it, which applies historical preferences and persona data without proactive disclosure. This is dangerous because it bypasses meaningful user awareness and can lead to invisible personalization based on stored personal data, including stale or sensitive inferences.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The skill states it will automatically invoke abilities based on user needs, but the document does not define strict activation boundaries, confirmation requirements, or denial conditions. In a multi-tool agent, this can cause unintended tool use, over-collection of user data, or triggering external searches on ambiguous prompts, increasing the attack surface and risk of misuse.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Several trigger phrases are extremely broad everyday language, such as '带什么', 'PK', '帮我说服', '不知道去哪', and '现在出发', making accidental or adversarial activation much more likely. In this skill context, broad triggers can route unrelated conversations into external command execution or persuasive-output flows without sufficient user intent validation.

Missing User Warnings

High
Confidence
98% confidence
Finding
The document not only disables TLS verification but does so without adequately describing the security consequences, normalizing an unsafe operating mode for routine use. This materially increases risk because operators may adopt the bypass permanently and expose user travel searches, personal itinerary data, and downstream service responses to interception or tampering.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The local-file storage guidance omits any warning that the profile is stored as readable local plaintext containing personal and potentially sensitive attributes. Without a privacy notice, users may not understand that their travel preferences, household information, and special requirements could remain on disk and be accessible to other local processes or users.

Ssd 3

Medium
Confidence
90% confidence
Finding
The skill is designed to persist and reuse user profile information across sessions, creating a natural-language data retention risk. Because the stored data includes user preferences and potentially identifying travel context, reuse across future conversations can leak prior-session information or over-collect personal data beyond user expectations.

Ssd 3

Medium
Confidence
92% confidence
Finding
Automatically reading historical profile data from memory or a local file at startup means the skill begins with potentially sensitive personal context before the user confirms they want that behavior. This increases the risk of unwanted personalization, surprise disclosure, and misuse of previously stored information in the wrong conversational context.

Ssd 3

Medium
Confidence
89% confidence
Finding
The workflow directs real-time memory updates whenever users mention travel-related details such as departure city, companions, or preferences. This encourages broad passive collection of personal data from ordinary conversation, increasing retention and leakage risks without clear user approval for each category of data stored.

Ssd 3

Medium
Confidence
87% confidence
Finding
The skill directs immediate memory updates after persona selection and later encourages saving newly discovered preferences, reinforcing persistent profiling by default. Even if the stored items seem low sensitivity individually, combining them over time can create a detailed behavioral profile that may be exposed or reused unexpectedly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal