Security audit

FlyAI Skipticket Search

Security checks across malware telemetry and agentic risk

Overview

The packaged files look like a normal skill-authoring helper, but the listing metadata presents it as an unrelated FlyAI skipticket/flight skill with high-impact tags.

Review this before installing because the marketplace/listing identity does not match the actual package. Install it only if you want an agent to create or modify local skill packages, and inspect generated skills before placing them in an auto-discovered skills directory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 72% confidence
Finding: The description is broad enough that the skill may trigger for many requests about creating or updating skills, including cases where the user did not intend code generation, file editing, or packaging actions. Over-triggering can expose the agent to unnecessary operational instructions and increase the likelihood of tool use beyond the user's expectations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.