ClawHub

flight-change

Security checks across malware telemetry and agentic risk

Overview

This travel skill is not clearly malicious, but it needs review because it tells agents to install an unpinned global CLI and send travel searches to an external service without a clear approval step.

Install only if you trust the flyai CLI provider and are comfortable approving a global npm package install. Prefer a sandbox or manual/local install, review the exact flight-search command before execution, and avoid entering sensitive travel details unless you accept sending them to the external travel service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The manifest claims broad travel-booking capabilities far beyond the documented flight-change workflow, which can cause an agent to route unrelated tasks to this skill under false assumptions. That increases the chance of unintended command execution, inappropriate data collection, or user reliance on unsupported flows.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The skill explicitly says only listed flags may be used, yet a playbook uses an unlisted `--journey-type` flag. This contradiction undermines guardrails and can train agents to ignore parameter allowlists, increasing the risk of unsafe or unintended CLI invocation if other hidden or unsupported flags are later introduced.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill mandates global installation of `@fly-ai/flyai-cli` via `npm i -g` without warning the user that it will modify the host environment. Unprompted package installation is security-sensitive because it changes system state, may require elevated privileges, and expands supply-chain risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill directs the agent to run a third-party CLI for flight searches without any explicit notice that travel query data may be sent over the network to an external service. This is dangerous because users may unknowingly disclose itinerary, location, or travel-planning data to a vendor outside the local environment.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent or user to run a global npm install (`npm i -g @fly-ai/flyai-cli`) without any warning that this modifies the host system, requires elevated trust in an external package, and may violate least-privilege expectations. In an agent setting, silently performing system-wide package installation expands attack surface and can lead to supply-chain compromise or unauthorized environment changes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This repeated fallback again directs a global npm installation with no disclosure of system impact, persistence, or trust implications. Repetition increases the chance an agent treats installation as routine remediation and performs an unsafe environment modification without informed consent.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrases in these playbooks include very generic terms like "cheap," "budget," "fast," and "quick," which are common in ordinary conversation and can cause unintended playbook activation. In a travel skill that can initiate search and booking-related workflows, overly broad routing can mis-handle user intent, surface irrelevant travel actions, and increase the chance of acting on incomplete or misinterpreted inputs.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The fallback condition "0 results from above playbooks" is underspecified and does not define strict boundaries for when the broader keyword search may run. This can cause the agent to escalate from structured commands to a looser query based on partially derived variables, increasing the risk of unintended tool use, incorrect searches, and routing behavior that does not match the user's original request.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal