AI机票预订助手

Security checks across malware telemetry and agentic risk

Overview

This is a coherent flight-booking assistant, but it needs review because it can perform real booking changes/refunds while using weak transport security and insecure local credential storage.

Install only if you trust this publisher and the flight-service endpoint. Before using it, confirm TLS verification is fixed, verify FBT_API_URL is not redirecting requests, avoid shared machines, and manually review order number, passengers, dates, fees, and refund/change effects before approving any booking, cancellation, change, or refund command.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (15)

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The end-to-end examples use command signatures that do not match the earlier interface definitions, adding extra phone parameters to order_detail, cancel_order, endorse_search_flight, endorse_search_price, endorse_apply, refund_fee_detail, and refund_apply. In an agent setting, inconsistent interfaces can cause the model to invoke the wrong command shape, misroute sensitive data, or perform actions against unintended APIs or scripts.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The refund fee display text says the system will automatically submit the refund application after confirmation, while other sections require a separate forced human confirmation step before any refund submission. Contradictory operational guidance around an irreversible transactional action can cause premature or unintended refund execution by an agent.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: This code explicitly disables TLS certificate verification before making unauthenticated API requests. That enables man-in-the-middle interception or tampering of authentication-related traffic, which is especially dangerous in a flight-booking assistant that handles identity and booking workflows.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The authenticated API wrapper also disables TLS verification while transmitting apiKey and booking-related business data. An attacker on the network path could intercept credentials, read sensitive travel data, or alter booking requests and responses.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: Using broad everyday trigger phrases for flight/price queries increases the chance that unrelated user text will activate the skill. In this context, accidental activation can start authentication prompts, external network calls, or collection of travel-related data without clear user intent.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The cancel-order trigger includes vague phrases like '不要了' and '取消这个订单' without requiring strong order context or confirmation. Because cancellation is a state-changing action affecting bookings and payments, ambiguous activation could lead to unauthorized or accidental order cancellation.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: Generic rescheduling phrases may match ordinary conversational change requests that are not intended to operate on a ticket order. In a travel skill tied to real orders, this ambiguity can prompt the agent to search amendment options or initiate change workflows on sensitive booking data without sufficiently clear consent.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: Including a broad trigger like '退票' for refund submission is dangerous because it can collapse fee inquiry and irreversible submission into one loosely matched intent. Given that refunds are transactional and potentially irreversible, ambiguous triggering materially raises the risk of unintended cancellation/refund actions.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script stores an API key locally after SMS-based authentication, but there is no visible warning, consent flow, or indication of how the credential is protected at rest. In a flight-booking context, that key likely grants access to account actions such as booking, changes, or refunds, so local compromise or shared-machine use could expose the user's account.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The module persists the apiKey and phone number in a predictable file under the system temporary directory, which is often accessible to other local users, processes, or cleanup tooling. Storing long-lived credentials in an insecure temporary location increases the risk of credential theft and account misuse.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script prints the full `order_data` structure immediately before submitting the rebooking request, which includes sensitive identifiers such as `order_id`, `ticket_ids`, and detailed itinerary/segment data. In a flight-booking skill, these values are operationally sensitive and may be exposed through logs, terminal history, agent traces, or centralized observability systems, enabling unauthorized order lookup, support abuse, or privacy leakage.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: This script retrieves and prints highly sensitive order data, including passenger names, phone numbers, identity document numbers, and ticket numbers, directly to stdout without masking, consent checks, or role-based access controls. In a flight-booking context this is more dangerous because the data is real travel PII that could be exposed through terminal logs, shared sessions, screenshots, or misuse by an unauthorized operator.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script submits a refund request immediately after fetching order details, without any confirmation, review, or verification of refund scope. In a flight-booking skill, refunds are financially impactful and potentially irreversible business actions, so accidental invocation, parameter mistakes, or misuse could cause unauthorized cancellations or customer-impacting refund operations.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The description advertises multiple powerful actions—search, pricing, booking, rebooking, and refunds—using very broad activation wording without clear boundaries for when the skill should engage. In a transactional travel context, ambiguous triggering can cause the agent to invoke booking-related workflows when the user is only asking informational questions, increasing the risk of unintended actions, data collection, or incorrect task routing.

Natural-Language Policy Violations

Medium

Confidence: 78% confidence
Finding: The description is written as a Chinese-only behavior cue without documenting whether language selection depends on user preference, system locale, or supported regions. In practice this can cause the skill to respond in an unexpected language, mis-handle multilingual requests, or create confusion during sensitive travel transactions such as booking changes or refunds.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal