ClawHub

eco-hotel

Security checks across malware telemetry and agentic risk

Overview

This travel skill is not clearly malicious, but it can automatically install and run an external global CLI package while also advertising broader travel capabilities than its documented workflows support.

Install only if you are comfortable with a skill that may globally install and run @fly-ai/flyai-cli to fetch travel results. Prefer reviewing the package source, installing it yourself in an isolated environment, and using the skill only for the specific flight-search flows it documents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill explicitly says agents must never invent CLI parameters and may only use flags listed in the parameter table, yet Playbook D later instructs use of `--journey-type 1`, which is undocumented. This inconsistency can coerce an agent into violating its own safety/validation rules and executing an unreviewed parameter path, increasing the chance of unintended behavior or misuse of the external CLI.

Description-Behavior Mismatch

Medium
Confidence
81% confidence
Finding
The manifest advertises many travel services such as hotels, trains, attraction tickets, visa info, insurance, and car rental, but the file only defines flight-search workflows. This capability mismatch can mislead an agent or user into invoking the skill for unsupported tasks, creating confusion, overreach, and possible unsafe fallback behavior outside the documented implementation.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation triggers include generic phrases like 'find a hotel' and '订酒店', while the workflow is centered on flight search. Overly broad triggers can cause the skill to activate for ordinary travel requests it is not designed to handle, routing users into the mandatory CLI/install flow unnecessarily and expanding exposure to external command execution.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill instructs the agent to automatically run `npm i -g @fly-ai/flyai-cli` if the CLI is missing, with no user consent or warning that the system will be modified. This is dangerous because it normalizes unattended package installation and execution from an external source, which can change the environment and introduce supply-chain risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The file instructs the agent/user to run a global npm install command (`npm i -g @fly-ai/flyai-cli`) without any warning that it modifies the system, requires trust in a package registry artifact, and may need elevated permissions. In an agent skill context, operational instructions that change the host environment increase supply-chain and unwanted system-modification risk, especially when presented as a required recovery step.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This fallback repeats the same global npm installation command as a direct remediation step, again without warning about system modification or package trust implications. Repetition in a fallback section makes the behavior more likely to be followed automatically, which increases the chance of unreviewed environment changes on the user's machine or agent runtime.

Ssd 4

Medium
Confidence
94% confidence
Finding
The opening 'critical execution rules' create a mandatory chain: do not answer from model knowledge, install the CLI if absent, and only trust CLI output. This escalates the agent from information response into external tool installation and execution under a narrative of necessity, which increases the risk of unsafe compliance and reduces opportunities for safer fallback behavior.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal