connecting

Security checks across malware telemetry and agentic risk

Overview

This travel skill is mostly purpose-aligned, but it tells agents to install a global CLI automatically and persist raw travel-query logs without clear user control.

Review before installing. Prefer manually installing and verifying the flyai CLI yourself, avoid using this skill for sensitive travel or identity details unless logging is disabled or redacted, and treat via-city or fallback results carefully because the documented commands may not actually enforce every routing constraint.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (12)

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The skill explicitly says agents must never invent CLI parameters unless they appear in the Parameters table, yet later maps 'via {city}' queries to a `--transfer-city` flag that is not listed there. This creates an instruction conflict that can cause agents to fabricate unsupported commands, fail unpredictably, or rely on incorrect assumptions when handling user travel requests.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The 'Via Specific Transit City' playbook claims it will return flights through a specified hub, but the actual command omits any transit-city constraint and performs only a generic search. In this context, that can mislead the agent into presenting results as satisfying a user safety/logistics constraint when they may not, undermining result integrity and causing users to act on false travel details.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The playbook claims to support routing through a specific transit city, but the command never passes any transit-city constraint and instead performs a generic search. This can cause the agent to return results that contradict the user's requested route, leading to silent mis-execution and potentially incorrect travel bookings or recommendations.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The quick reference says connecting searches always require journey-type 2, but some playbooks omit that flag, creating inconsistency between documented behavior and executed commands. In practice, this may broaden searches beyond connecting itineraries and cause the agent to take actions outside the user's intended scope.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill instructs the agent to run `npm i -g @fly-ai/flyai-cli` automatically if the tool is missing, which is a system-modifying action performed without explicit user consent or warning. In an agent setting, unattended global installation can change the runtime environment, introduce supply-chain risk, and violate least-privilege expectations.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger phrase for connecting-flight activation is broad enough that ordinary flight queries may activate this skill without confirming that the user wants a connecting itinerary. That increases the chance of the agent selecting the wrong workflow and issuing commands that do not match user intent.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The fallback condition is ambiguous because a 0-result flight search can trigger a much broader keyword search without confirming whether the user wants expanded discovery behavior. This creates a scope jump from structured flight lookup to broad search, which may surface irrelevant or unintended content.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The fallback sequence expands from a direct flight-search command to a broad keyword search but provides no user-facing warning about the change in query scope. That can mislead users into believing results are still constrained by the original flight-search semantics when they are not.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The runbook explicitly requires internal logging of raw user queries, CLI commands, fallback actions, and output metadata, but provides no notice, minimization, or access-control guidance. In a travel skill, raw queries can contain names, locations, passport/visa details, booking references, and other sensitive trip data, so collecting and persisting this telemetry creates a real privacy and data-exposure risk.

Ssd 3

Medium

Confidence: 98% confidence
Finding: The log template stores `user_query` as raw input in an internal execution log, which directly captures potentially sensitive travel and identity information. Because this skill supports booking, itinerary planning, visa info, insurance, and rentals, user queries may include PII or confidential travel details that become exposed if logs are accessed, retained too long, or shared.

Ssd 3

Medium

Confidence: 94% confidence
Finding: Requiring every CLI call and fallback action to be logged can capture commands containing user-derived parameters, tokens, destinations, booking identifiers, or other sensitive operational context. This broad diagnostic logging expands the attack surface and can leak both user data and internal system behavior to anyone with log access.

Ssd 3

High

Confidence: 99% confidence
Finding: The runbook instructs appending the full generated execution log to a local file, creating durable storage for all captured sensitive fields without any safeguards for encryption, permissions, rotation, or deletion. Persistent accumulation of travel-related queries and command traces materially increases the chance and impact of unauthorized disclosure or later misuse.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal