Back to skill

Security audit

remote-work-travel

Security checks across malware telemetry and agentic risk

Overview

This flight-search skill is travel-focused and not malicious, but it needs review because it tells agents to install an unpinned global npm CLI and send trip searches through it without a clear consent gate.

Install only if you trust the flyai CLI and are comfortable with your agent running flight-search commands that may send route and date details to the provider. Approve any npm install manually, prefer a pinned or sandboxed install, and review booking links before taking any purchase action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The skill explicitly states that only parameters listed in the Parameters table may be used, but later instructs the agent to invoke `--journey-type`, which is undocumented there. This contradiction can cause the agent to ignore its own guardrails, invent unsupported flags, or execute commands inconsistently, increasing the risk of unsafe command use and unreliable behavior.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill instructs the agent to globally install and then execute a CLI (`npm i -g @fly-ai/flyai-cli`) without explicit user consent or warning that it will modify the host environment. Allowing a skill to trigger package installation is dangerous because it expands the attack surface to the npm supply chain and permits persistent system changes from untrusted skill content.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill requires use of an external CLI for flight search, which likely transmits user travel details such as origin, destination, and dates to a third-party service, but provides no privacy or network disclosure. This is risky because users may unknowingly expose sensitive itinerary or location information, and agents may send it automatically under the skill's mandatory workflow.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger terms "cheap" and "budget" are very broad and can easily appear in ordinary travel conversations, causing this playbook to activate when the user did not explicitly request the cheapest-flight workflow. In a booking skill, that can steer results toward cost optimization unexpectedly and increase the chance of unintended tool use or user-confusing behavior.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger terms "fast" and "quick" are insufficiently scoped because they are common words that may refer to response speed rather than flight selection criteria. This ambiguity can cause accidental activation of the fastest-route playbook and lead the agent to run booking-related searches based on an unintended interpretation of the user's request.

Vague Triggers

Low
Confidence
82% confidence
Finding
The fallback condition "0 results from above playbooks" lacks clear invocation boundaries and may trigger additional searches without explicit user approval. Because it chains from structured flight search to a broad keyword search, it increases the risk of unintended tool execution and less predictable behavior, though the impact is limited by the travel-focused context.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.