Back to skill

Security audit

曲线救国低价机票模糊搜索

Security checks across malware telemetry and agentic risk

Overview

This flight-search skill is mostly coherent, but it handles login cookies and uses stealthy browser automation in ways users should review carefully before installing.

Install only if you are comfortable with an agent launching and controlling Chrome, querying third-party travel sites, and storing travel-site login cookies on disk. Use a separate browser profile and secondary travel accounts, do not reuse sensitive accounts, delete ~/.qvxian and ~/.qvxianjiuguo when done, and avoid enabling debug HTML capture unless you accept that page contents may be saved locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (31)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_cli(args: str) -> tuple[dict, int]:
    """运行 CLI 命令并返回 JSON 结果和退出码"""
    cmd = f'uv run python -m qvxianjiuguo.cli {args}'
    result = subprocess.run(
        cmd,
        shell=True,
        capture_output=True,
Confidence
97% confidence
Finding
result = subprocess.run( cmd, shell=True, capture_output=True, text=True, cwd=os.path.dirname(os.path.dirname(os.path.abspath(__file__))) )

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill requests or enables powerful capabilities including shell execution, filesystem read/write, network access, environment-variable use, and browser/process control, yet it does not declare permissions in a machine-enforceable way. This creates a transparency and containment failure: an agent or runtime may invoke sensitive operations such as reading browser data, writing cookies, killing processes, or launching Chrome without the user understanding the full risk surface.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The declared purpose is ticket search, but the documented behavior extends into credential handling, browser automation, local Chrome control, cookie extraction/persistence, and possible anti-detection evasion. That mismatch is dangerous because users may consent to a simple search utility while actually granting a tool access to authentication material and browser state, increasing the chance of account compromise, privacy loss, or misuse of local system capabilities.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The README makes materially inconsistent claims about scope: it says the tool only supports single-platform price queries and no broader comparison, but later advertises search and login/cookie support for four travel platforms. In an agent skill context, this can mislead operators and users about what data sources are accessed and what accounts or platforms may be touched, undermining informed consent and safe deployment decisions.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The README states the tool does not provide ticket purchasing or booking, but the published triggers include buy/book intents such as '买机票' and '订机票'. For an autonomous agent, this mismatch is dangerous because the skill may be invoked in transactional contexts users reasonably expect to be non-transactional, increasing the risk of unintended account actions, collection of sensitive travel data, or escalation into booking flows.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill is presented as a flight fuzzy-search utility, but the CLI also includes login-state checking and persistent cookie save/load workflows. This expands the trust boundary from search automation into credential/session handling, creating unnecessary exposure of authenticated browser state and increasing the risk of account/session misuse if the skill is run in an agent context.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code extracts login cookies from the browser and writes them to a JSON file in the user's home directory. Authentication cookies are bearer tokens for active sessions; if the file is read by another local process, user, backup system, or malware, the platform account may be hijacked without needing a password.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The code reloads previously saved cookies into a live browser session, enabling restoration of authenticated state from a local file. This makes any stolen or improperly shared cookie file immediately usable for session replay and account access, especially because the feature is built into a convenient CLI workflow.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code loads cookies from a local file under the user's home directory and injects them into a browser session for third-party travel domains, effectively reusing an authenticated session. Even if intended to help the user avoid repeated logins, this handles highly sensitive session credentials and can impersonate the user on external sites if the cookie file is exposed, reused without consent, or loaded for the wrong browser context.

Context-Inappropriate Capability

Low
Confidence
90% confidence
Finding
In debug mode, the skill writes the full page HTML to a local file, which may include account details, booking information, embedded tokens, and other personal travel data unrelated to the requested search. Saving entire pages increases the blast radius of any local compromise and can unintentionally retain sensitive data beyond the immediate task.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code explicitly injects stealth JavaScript and overrides browser fingerprints to reduce detection by websites. For a flight-search skill, anti-detection behavior is not necessary for core functionality and increases the risk that the skill is used to bypass site defenses, rate limits, or bot controls.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The drag, click, and typing routines are deliberately randomized to mimic human behavior and make automation harder to detect. In the context of a flight-search tool, this exceeds normal automation needs and can facilitate circumvention of anti-bot protections on third-party sites.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file implements deliberate browser anti-detection and fingerprint spoofing, including webdriver hiding, fake plugins, forged Chrome APIs, and altered WebGL/device characteristics. In a flight-search skill, these capabilities are not necessary for normal functionality and instead enable covert scraping or bypass of site anti-bot protections, increasing the risk of policy evasion and unauthorized automation.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code actively manipulates multiple fingerprint surfaces to evade bot detection: navigator.webdriver, plugins, languages, permissions, WebGL, hardwareConcurrency, deviceMemory, connection, and Chrome-specific properties. This is a strong indicator of evasive automation designed to avoid detection controls, which is especially suspicious because the stated skill purpose is simple ticket search rather than browser stealth research or compatibility testing.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file contains an end-to-end login test for 去哪儿 that requests a real phone number, triggers SMS verification, handles slider challenges, and verifies account login. This exceeds the declared scope of a fuzzy flight-search skill and introduces credential/session handling behavior that could collect user authentication data or persist logged-in browser state, making the skill materially more dangerous than advertised.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This test automates a real website login flow, enters a phone number, and triggers SMS-verification behavior even though the skill is described as a flight fuzzy-search tool. That creates undocumented authentication capability and can cause unauthorized interaction with third-party account systems, which is risky and out of scope for a search-only skill.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code actively fills a phone number field and attempts to click a 'get verification code' control, which is concrete account-authentication behavior. In the context of a search-only flight skill, this expands capability beyond stated intent and could be abused to trigger SMS messages or probe login workflows on a third-party platform.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This test automates a third-party login flow for Qunar even though the skill is described as a fuzzy flight-search capability, creating a capability mismatch and unnecessary interaction with account-authentication surfaces. Login automation against external consumer services can facilitate unauthorized account access workflows, bypass expected human friction, and expand the skill's effective scope beyond search into credential or session handling.

Context-Inappropriate Capability

Low
Confidence
87% confidence
Finding
The code captures and prints raw HTML, page text, input metadata, and clickable-element details from a live login page, which exceeds what is needed for flight search and may expose sensitive UI content or authentication-related state in logs. Broad page introspection of third-party login pages can leak tokens, personal data, anti-bot challenges, or implementation details useful for abuse or evasion.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The test explicitly opens and interacts with a third-party login page (`user.qunar.com/passport/login.jsp`) even though the skill is described as a flight fuzzy-search capability, not an authentication or account-management feature. Accessing a live login surface in test code expands the skill’s operational scope and creates unnecessary risk of harvesting page structure, user-interface details, or later evolving into credential collection automation.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code performs broad DOM scraping over all inputs and many clickable elements on a login page, collecting placeholders, names, types, and text related to phone numbers and verification codes. In the context of a flight-search skill, this is unjustified reconnaissance of an authentication interface and could be repurposed to map login flows or facilitate credential/OTP-targeted abuse.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This test automates an SMS-login and slider-verification flow that is outside the declared flight fuzzy-search purpose of the skill. Security-sensitive automation of login and anti-bot checks can enable account access workflows and bypass detection logic, which increases abuse potential even if framed as test code.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The file's behavior is centered on login-page interaction, requesting SMS codes, and solving a slider challenge rather than searching flights. In the context of a flight-search skill, this mismatch is dangerous because it hides unrelated high-risk browser automation that could be repurposed for account access or anti-abuse evasion.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code can terminate any process bound to the configured debugging port, including a Chrome instance not started by this tool. In a shared desktop or multi-process environment, that can disrupt unrelated user sessions, destroy browser state, and potentially interfere with other automation or debugging workflows without confirmation or ownership checks.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The CLI saves browser cookies that represent login state to disk but does not provide explicit warnings that these files are sensitive credentials. Users may reasonably treat the file as harmless app data, increasing the chance of insecure storage, sharing, syncing, or inclusion in logs and backups.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.