ClawHub

Fall Foliage

Security checks across malware telemetry and agentic risk

Overview

This travel skill has a coherent FlyAI-powered foliage-search purpose, but it automatically installs a global CLI package and keeps raw travel-query logs locally without clear user consent or retention limits.

Review before installing. Only use this skill if you trust the FlyAI npm package and want Fliggy/FlyAI-backed travel results. Require explicit approval before any global npm install, avoid entering sensitive passport, payment, or private itinerary details, and disable or delete `.flyai-execution-log.json` unless you intentionally want raw travel queries and command history stored locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The file states that responses must come from executed CLI command sequences, but Playbook A contains only narrative text instead of an executable command. This creates an integrity gap where the agent may fabricate or infer results while presenting them as tool-backed, which is especially risky in a travel-booking context involving flights, hotels, and itinerary decisions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs the agent to run `npm i -g @fly-ai/flyai-cli` automatically if the CLI is missing, which modifies the host environment without user approval. Installing a global package from within a skill expands the attack surface to arbitrary postinstall behavior, supply-chain compromise, and unintended persistence on the user's system.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger phrase "autumn leaves in China" is broad enough to match many ordinary user requests, causing the playbook to activate without clear user intent for this specific workflow. Over-broad activation can route users into unintended tool actions or constrained search behavior, producing irrelevant or misleading travel results.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrase "ginkgo trees" is extremely generic and can appear in casual conversation, photography questions, botany discussions, or non-travel contexts. This increases the chance of accidental activation and unintended tool use, which is problematic in a skill that can influence travel recommendations and downstream booking flows.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The playbooks hardcode Chinese search keywords ("红叶", "银杏") without user consent or locale justification, which can bias or distort results for users expecting another language or broader search coverage. In a travel skill, this may silently exclude relevant destinations, reduce transparency, and produce inaccurate recommendations based on language assumptions rather than stated user needs.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The runbook explicitly instructs the agent to store the raw `user_query` and to append execution logs to a persistent local file, but it provides no data minimization, retention limits, consent flow, or redaction guidance. In a travel skill that may collect booking details, itinerary data, visa-related information, and other personal data, persistent logging increases the chance of privacy violations, unauthorized disclosure, and accidental retention of sensitive information.

Ssd 3

Medium
Confidence
98% confidence
Finding
The schema mandates storing raw user input in an internal execution log and persisting it with `echo ... >> .flyai-execution-log.json`, which can capture sensitive travel-related requests verbatim. Because this skill also supports bookings and travel assistance, user messages may contain names, dates, destinations, passport/visa details, or other personal information that should not be retained indefinitely in a flat log file.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal