Security audit

Airplane AI / 断网 AI 助手

Security checks across malware telemetry and agentic risk

Overview

AirplaneAI appears to be a real local chat UI, but it lets model output trigger unrestricted local file reads without enough user control.

Review carefully before installing. Use it only with a trusted local LLM endpoint, avoid using it around secrets, and consider removing or disabling the READ feature unless it is changed to require explicit approval and path limits. The VirusTotal result is pending and the static scan was clean, but the artifact-backed file-read design warrants Review.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (16)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The skill markets itself as an offline local chat UI, but the documented behavior includes arbitrary local file ingestion triggered by model output and outbound connectivity checks to an external site. This mismatch can cause users to trust the tool with sensitive data under a false assumption that it only talks locally, increasing the chance of unintended disclosure.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The README documents a mechanism where the AI can emit a `<<READ:/路径>>` token that triggers automatic reading of arbitrary local files and appends their contents to the conversation. In the context of an LLM chat interface, this creates a powerful local file disclosure primitive that could expose sensitive data if the model is induced to request secrets or if the backend is ever pointed at a remote API.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: Allowing the model to emit a token like <<READ:/path>> that automatically causes local file reads gives the model an ambient file-read primitive. A prompt-injected or simply overreaching model could cause sensitive files to be loaded into the chat context without meaningful user intent verification.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The documentation claims files are not uploaded, but elsewhere describes automatic file ingestion into chat based on model output. Even if the tool is local-only by default, this contradictory safety messaging can mislead users into exposing sensitive local content to the model or any configured backend.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The persona explicitly instructs the model that it can read local files from anywhere on the filesystem via a special token, which grants broad data-access capability unrelated to ordinary chat behavior. In an offline local-LLM UI, this is still dangerous because prompt injection, social engineering, or accidental user requests could cause disclosure of sensitive local files such as SSH keys, browser data, tokens, or personal documents.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The stated purpose is an offline chat interface for a local LLM, but the documented capability allows reading arbitrary local files without any functional limitation tied to that purpose. This mismatch increases risk because users may not expect the assistant to have blanket filesystem access, enabling unintended exfiltration of confidential local data into the chat context.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The code performs an outbound connectivity check to a public domain despite being marketed as an offline assistant. This creates unexpected network egress, leaks usage metadata, and undermines the user's assumption that running the tool in 'offline' mode will not contact external infrastructure.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The persona explicitly instructs the model that it can read local files via a special token, and the application implements that behavior. For a simple offline chat UI, exposing arbitrary local file reads is dangerous because the LLM can induce the UI to access sensitive files and feed their contents back into the conversation without meaningful access controls.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The read_file function resolves any supplied path and returns its contents with no sandboxing, no allowlist, and no user confirmation. Because /api/read is exposed by the local HTTP server and integrated into the LLM-driven chat flow, sensitive local files can be read and then disclosed to the model or browser session.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The skill text says the assistant cannot browse the web, yet the code performs network requests to the configured LLM endpoint and also probes an external public domain. This mismatch is security-relevant because it misleads users about data flow and can cause them to expose sensitive prompts under a false assumption of no network activity.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README presents automatic local file reading without a clear warning that private documents, keys, tokens, or system files could be exposed through the chat flow. Because the skill also supports OpenAI-compatible endpoints, users may wrongly assume all data stays local when file contents could be sent to a non-local backend.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The markdown documents automatic file reading initiated by model output without a clear warning that this can expose local secrets, keys, notes, or documents. Missing disclosure is dangerous because users may not realize that ordinary chat interactions can trigger privileged local data access.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The file-read mechanism is described as working anywhere on the filesystem and gives no activation constraints, exclusions, or safety policy, so the model is encouraged to invoke it broadly. Without guardrails, an attacker can steer the assistant to request sensitive files, and even benign use can unintentionally surface secrets from the host machine.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The persona and frontend create an automatic path where the model can emit a <<READ:/path>> token that causes the application to read local files, but the user is not warned or asked to approve the access. This enables prompt-driven file exfiltration from the local machine with very little user awareness.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: User messages and any injected file contents are transmitted to the configured LLM endpoint, but the interface does not clearly disclose that data leaves the browser/server process and is sent over HTTP. In context, this is more concerning because the product branding emphasizes offline/local use, which may cause users to underestimate disclosure risk if the endpoint is remote or proxied.

Ssd 3

Medium

Confidence: 96% confidence
Finding: A model-directed file read can pull local file contents into the prompt/response stream, turning prompt manipulation into data disclosure. In practice, this means sensitive local information could be surfaced in natural-language chat output and potentially later transmitted if the backend configuration changes or logging is enabled.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.