Security audit

Fly

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Fly.io CLI reference skill with powerful but disclosed cloud-management commands.

Install this only if you want the agent to help administer Fly.io resources. Verify the active Fly.io account, app, region, machine, volume, and secret names before running commands, and require explicit confirmation for deploys, scaling changes, SSH commands, proxy sessions, secret changes, and any destroy/delete/unset action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The skill documents destructive operations such as app, volume, and machine deletion without any caution, confirmation guidance, or recommendation to verify targets first. In an agent context, this increases the risk of accidental irreversible actions against production infrastructure if the commands are surfaced or executed without sufficient safeguards.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The secrets section encourages setting and listing secrets but provides no warning about handling sensitive values, terminal history exposure, logging, or avoiding echoing secrets back to users. In an agent skill, omission of secrecy-handling guidance can lead to credential disclosure in prompts, command history, tool logs, or generated examples.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.