Back to skill

Security audit

winter-escape-flight

Security checks across malware telemetry and agentic risk

Overview

This flight-search skill is not clearly malicious, but it can automatically install and run an unpinned global CLI from npm for broad travel requests.

Review before installing. Use this only if you are comfortable with an agent running flyai commands and potentially installing `@fly-ai/flyai-cli` globally from npm. Prefer installing and verifying the CLI yourself first, or run it in an isolated environment. Do not provide unnecessary personal travel or account information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The activation trigger includes generic phrases like 'book a flight' and '订机票', which can cause the skill to activate in many ordinary travel conversations. In this skill, activation is coupled to mandatory CLI execution and possible package installation, so over-broad triggering increases the chance of unintended command execution and system modification.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs the agent to install a global npm package if the CLI is missing, without warning the user that this modifies the local environment. Silent global installation expands the trust boundary to third-party package distribution and can change system state unexpectedly, which is risky in an agentic execution context.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The fallback path normalizes `npm i -g @fly-ai/flyai-cli` as an automatic recovery step, again without any user notification or approval. This can lead an agent to download and install executable code on the host solely to satisfy the skill workflow, increasing supply-chain and unintended-modification risk.

Ssd 4

Medium
Confidence
96% confidence
Finding
The workflow makes environment checking, package installation, and CLI execution mandatory before servicing the user's request. In an agent setting, this pattern conditions the system to acquire and run new tooling on demand, which materially increases exposure to command execution, supply-chain compromise, and unintended host changes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.