ClawHub

explore-spain

Security checks across malware telemetry and agentic risk

Overview

This Spain travel skill is not malicious, but it needs review because it can automatically install and run a global third-party travel CLI without a clear consent gate.

Install only if you are comfortable with an agent running `flyai` commands and potentially installing `@fly-ai/flyai-cli` globally through npm. Require confirmation before any install, verify the package source and version yourself, and double-check booking prices, links, and terms before purchasing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill explicitly tells the agent to never invent unlisted CLI parameters, but a later playbook uses `--journey-type 1` even though that flag is absent from the documented parameters. This inconsistency can cause agents to violate their own safety/usage constraints, increasing the chance of failed execution, unsafe improvisation, or reliance on undocumented behavior in a third-party CLI.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The manifest advertises a broad set of travel services such as hotels, trains, attractions, visas, insurance, and car rental, but the body of the skill only defines flight-search workflows. That mismatch can cause over-activation and misplaced user trust, leading an agent to invoke the skill in contexts it cannot safely fulfill and potentially fabricate unsupported capabilities.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Including the generic trigger term `discover` makes activation overly broad and likely in benign conversations unrelated to booking Spain travel. Over-broad triggers are dangerous in agentic contexts because they can unexpectedly route user requests into a skill that installs software and executes external commands.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill instructs the agent to automatically run `npm i -g @fly-ai/flyai-cli` if the tool is missing, without requiring user confirmation or presenting installation risk. Automatically installing and then using a new global executable materially increases supply-chain and environment-modification risk, especially when triggered by natural-language travel queries.

Ssd 4

Medium
Confidence
97% confidence
Finding
The workflow normalizes checking for a CLI, globally installing it, and then relying on it as the exclusive source of truth before answering. In skill context, this creates a trust-and-action chain where ordinary travel prompts can lead directly to system changes and execution of third-party code without equivalent safety gates, provenance checks, or consent.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal