ClawHub

economy-flights

Security checks across malware telemetry and agentic risk

Overview

This flight-search skill is mostly coherent, but it asks an agent to install a global CLI, broaden travel searches, and persist raw user queries without clear consent controls.

Install only if you are comfortable with an agent installing and running a global npm CLI, sending travel search details to flyai/Fliggy, and potentially writing local execution logs. Require confirmation before installs or broader searches, avoid entering passport or sensitive personal details, and delete or disable `.flyai-execution-log.json` if logs are created.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Description-Behavior Mismatch

Low
Confidence
88% confidence
Finding
The fallback broadens the skill from a constrained economy-flight search into a generic keyword search, which can return results outside the declared scope and bypass the playbook's tighter parameterization. In an agent setting, this increases the chance of irrelevant, overbroad, or policy-bypassing behavior because freeform search is less controlled than the structured flight command.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to install and execute a global npm package (`@fly-ai/flyai-cli`) as part of normal operation without prior user approval or a safety warning. This is dangerous because it causes persistent system modification and executes third-party code from the network, expanding supply-chain and local-environment risk beyond the user’s original request.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The environment check explicitly tells the agent to run `npm i -g @fly-ai/flyai-cli` when `flyai` is missing, then continue execution. In an agent context this is more dangerous than ordinary documentation because it operationalizes unreviewed package installation and immediate execution, creating a clear supply-chain and host-compromise pathway if the package is malicious, typosquatted, or later compromised.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Automatically searching a different travel date than the one the user requested can cause the agent to act on materially altered booking criteria without informed consent. In a travel-booking context, this is more dangerous because date changes affect price, eligibility, visa timing, lodging, and itinerary feasibility, and could lead to unauthorized or harmful downstream decisions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The runbook explicitly records the raw user query in an internal execution log and then describes persisting the generated log to disk. In a travel-booking context, user queries can contain sensitive personal, financial, or itinerary information, so storing them without minimization, consent, retention limits, or redaction creates unnecessary privacy and data-exposure risk.

Ssd 3

Medium
Confidence
97% confidence
Finding
The schema includes `"user_query": "{raw input}"`, which instructs the agent to retain the full original user prompt. For this skill, raw prompts may include passenger names, travel dates, passport or visa details, destinations, and other personal data, increasing the blast radius if logs are accessed or reused improperly.

Ssd 3

Medium
Confidence
98% confidence
Finding
The runbook instructs appending the full generated execution log to `.flyai-execution-log.json`, creating durable local storage of whatever sensitive data the log contains. Persistent plaintext logs are a common source of secondary exposure through filesystem access, backups, log shipping, or accidental inclusion in support bundles and repositories.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal