Back to skill

Security audit

AI机票预订助手

Security checks across malware telemetry and agentic risk

Overview

The flight-booking skill matches its stated purpose, but it needs review because it handles credentials, identity data, bookings, changes, and refunds with weak transport, storage, and confirmation safeguards.

Install only if you trust the publisher and the Fenbeitong flight service, and avoid using it for real passenger IDs or paid bookings until TLS verification is restored, apiKey storage is moved to a user-private secure location, PII is masked in output, and refund/change commands require explicit scoped confirmation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The workflow examples use different command signatures from the formal command definitions for order, cancellation, endorsement, and refund operations, including extra phone-number arguments in some cases. In a transactional skill handling bookings and refunds, such inconsistency can lead to incorrect command execution, accidental actions on the wrong order, or unsafe implementations that improvise argument handling around sensitive identifiers.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
This code explicitly disables TLS certificate verification by creating an unverified SSL context before calling the remote API. In a flight-booking assistant, this exposes authentication flows and potentially personal or booking-related data to man-in-the-middle interception or tampering, which is especially dangerous because the helper is used for security-sensitive API communication.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The authenticated API wrapper also disables certificate verification while sending apiKey and business data. That allows an attacker on the network path to intercept credentials, passenger information, or alter booking requests and responses, directly affecting ticket ordering, changes, or refunds.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The module stores the apiKey and phone number in a predictable file under the system temporary directory, which is not an appropriate secure storage location for long-lived credentials. On shared systems or environments with weak temp-directory protections, other local users or processes may read, replace, or delete the file, leading to credential theft or session manipulation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script transmits highly sensitive passenger data, including name, phone number, and government ID number, to an API without any visible privacy notice, consent prompt, or indication of how the data will be handled. In a flight-booking context this transmission is functionally necessary, but failing to warn users or document the privacy impact increases the risk of uninformed disclosure of personally identifiable information.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script prints the passenger's full name, phone number, and ID card number directly to stdout, which can expose sensitive data in terminal history, logs, monitoring systems, or shared execution environments. Because this skill handles real-world travel bookings, the leaked data is highly valuable and could enable identity theft, social engineering, or privacy violations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script prints the full constructed `order_data` object to stdout immediately before submitting the endorse request. In this flight-booking context, that object likely contains sensitive booking metadata such as order IDs, ticket/product identifiers, segment details, and potentially passenger-associated data, which may be captured in logs, terminal history, or agent transcripts and exposed to unauthorized parties.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script writes flight and seat selection data to a temporary JSON file on disk, creating persistence of booking-related information outside the immediate process. In a flight-booking context, even if the data is not obviously a full credential set, it can reveal travel itinerary details and booking metadata, and if the temp path is shared, predictable, or not permission-restricted, other local processes or users may read or tamper with it.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script fetches and prints full order details, including passenger name, phone number, identity document number, and ticket number, directly to stdout without masking or any authorization, consent, or sensitivity checks in this file. In an agent skill context, console output may be surfaced to users, logs, or downstream systems, creating a real risk of unintended PII disclosure if the wrong order ID is queried or outputs are retained.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script invokes the refundApply API immediately after deriving product IDs from the order, without any explicit user confirmation, preview of affected passengers/tickets, or safeguard against accidental execution. In a flight-booking skill, refund operations are financially sensitive and may be difficult or impossible to reverse, so accidental or misrouted calls could cause unwanted cancellations, monetary loss, and customer support incidents.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The description advertises a very broad set of travel actions such as search, booking, rescheduling, and refunds without defining clear activation boundaries or user-intent constraints. In an agent environment, this can cause over-invocation or trigger the skill for ambiguous travel-related requests, increasing the chance of unintended transactional behavior or excessive data collection.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.