Back to skill

Security audit

volunteer-travel

Security checks across malware telemetry and agentic risk

Overview

This travel-booking skill is mostly coherent, but it tells agents to automatically install and run a global npm CLI without clear user approval or version pinning.

Review before installing. Use this only if you trust the FlyAI/Fliggy CLI and are comfortable sharing travel search details with that provider. Require explicit approval before any npm install or shell command, and prefer a pinned, local, or sandboxed CLI setup over a global install.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The skill explicitly states that only documented flags may be used, yet later instructs the agent to invoke an undocumented `--journey-type` flag. In an agent-execution context, undocumented parameters are dangerous because they bypass the declared interface contract, can mask hidden behaviors, and may cause the agent to execute commands whose effects were not reviewed or validated.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill mandates installing a package globally with `npm i -g @fly-ai/flyai-cli` if the binary is absent, without warning the user or requiring consent. In an agent environment, this causes unreviewed system modification and remote code installation, which is especially risky because package registries and install scripts can introduce supply-chain compromise or alter the host unexpectedly.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The instruction tells the operator to run a global npm install command without any warning that it will modify the system environment and pull executable code from the package registry. In an agent setting, this can lead to unintended system changes and increases supply-chain risk if the package is compromised or installed in the wrong environment.

Missing User Warnings

Low
Confidence
92% confidence
Finding
This repeated fallback again instructs a global npm installation with no user-facing warning, reinforcing behavior that modifies the host system and executes externally sourced code. Repetition increases the chance that an operator or agent will treat the command as routine and run it without appropriate review.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger terms "cheap" and "budget" are very broad and can easily appear in normal travel conversations, causing the Cheapest Option playbook to activate when the user did not explicitly request that workflow. In this skill, unintended activation mainly affects search behavior and result ranking rather than causing direct code execution or privilege escalation, but it can still mis-handle user intent and lead to incorrect bookings or recommendations.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger words "fast" and "quick" are ambiguous and commonly used in many contexts, so they may invoke the Fastest Route playbook even when the user is not asking for fastest-travel optimization. In this travel-booking context, the risk is primarily unintended workflow selection and user confusion, which could result in suboptimal itinerary choices or accidental booking flows.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.