Back to skill

Security audit

destination-finder

Security checks across malware telemetry and agentic risk

Overview

This travel recommendation skill appears legitimate, but it asks the agent to run local shell setup commands and potentially install a global npm tool, which needs review before use.

Review before installing. Use it only if you are comfortable with destination searches being sent to Xiaohongshu and FlyAI/Fliggy-style services, and do not let the agent automatically source shell files or install global npm packages. FlyAI should be installed and configured by the user or platform in advance, and failures should fall back to no-link output rather than modifying the local environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to alter the shell PATH and invoke an external CLI (`flyai`) as part of normal operation. For a travel recommendation skill, requiring shell-level environment changes and command execution expands the attack surface, enables execution of unexpected binaries if PATH resolution is subverted, and creates unnecessary coupling to local host state.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The document instructs the agent to modify the shell PATH, source shell rc files, and potentially install a global npm package during normal skill operation. For a destination-recommendation skill, these host-environment changes are unnecessary and expand the agent's capabilities into system administration, increasing the risk of unsafe command execution, persistence changes, and unintended package installation on the user's or runner's machine.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The skill extends from destination recommendation into real-time external retrieval of images and information, plus fallback generation of external search links. This broadens data egress and output surface beyond the core skill purpose, creating privacy, content-safety, and prompt-scope risks if user inputs or recommendations are sent to third-party services without explicit user consent.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly requires collecting detailed travel history, prior destinations, preferences, origin city, timing, and related personal context without any user-facing notice about why the data is needed, whether it will be retained, or how it will be used. This creates unnecessary privacy risk through over-collection and can expose sensitive behavioral patterns if logged or reused across sessions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill directs the agent to query third-party platforms (Xiaohongshu and FlyAI/Fliggy data) to personalize recommendations but does not instruct the agent to disclose that external services will be used. This can leak user-derived interests, itinerary constraints, or destination preferences to third parties without informed consent, which is particularly risky in a recommendation workflow that gathers rich personal context first.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.