historical-sites

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it can modify the host by installing a global CLI and can persist raw travel queries in a local log.

Review before installing. Only use this skill if you are comfortable with a booking-oriented FlyAI/Fliggy workflow, manual review of a global npm CLI dependency, third-party travel queries, and possible local logging. Prefer installing the CLI yourself after verifying the package, and disable or delete `.flyai-execution-log.json` if you do not want raw request history retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The README presents the skill as a historical-sites explorer, but also discloses real-time travel data and booking-link functionality via flyai-cli. This mismatch can mislead users and agent frameworks about the skill's true capabilities, causing it to be invoked in broader transactional contexts than expected and reducing informed consent around booking-related actions.

Intent-Code Divergence

Low

Confidence: 80% confidence
Finding: The 'What It Does' section understates the skill's scope by describing only historical-landmark exploration while other sections mention live travel data and booking links. In agent ecosystems, incomplete capability disclosure can lead to unsafe trust assumptions, policy misclassification, or unintended use of external booking features.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The skill is presented as a historical-sites guide, but its operative behavior is a broader commerce workflow that depends on a third-party booking CLI. This is a security-relevant mismatch because users and host agents may activate it expecting informational guidance, while it actually performs transactional/external-service actions and link generation with different privacy and trust implications.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The skill promises detailed cultural context and visiting guides, but then instructs the agent to act only as a CLI executor and forbid knowledge-based answers. This contradiction can mislead users and orchestrators about what the skill actually does, increasing the chance that an agent over-trusts generated output as curated guidance when it is only relayed third-party results.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill directs automatic installation of a global npm package (`npm i -g @fly-ai/flyai-cli`) as part of normal execution without a safety prompt or requirement for explicit user consent. Installing global packages modifies the host environment, may require elevated privileges, and creates supply-chain risk if the package is malicious, compromised, or typosquatted.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill routes user travel queries through an external CLI/service and generates booking links, but it does not clearly warn that destination preferences, itinerary details, and other query content may be transmitted to a third party. This creates a privacy and transparency issue because users may reasonably believe they are interacting only with the local agent.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The runbook explicitly records `user_query` as raw input in an internal execution log, which can capture sensitive personal, financial, passport, visa, or booking details users may provide. In a travel skill context, this is more dangerous because users commonly submit high-sensitivity data, and the document provides no notice, minimization, masking, or retention controls.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The runbook instructs persistent appending of execution logs to a local file, which increases the chance that sensitive travel-related requests remain stored on disk beyond the active session. Persistent local storage expands exposure from transient processing to at-rest compromise, accidental inclusion in backups, or access by other processes/users on the host.

Ssd 3

Medium

Confidence: 97% confidence
Finding: Taken together, the schema logs raw natural-language user input and then persists the resulting execution record to disk, creating a clear data leakage path for secrets and personal information embedded in free-text prompts. In this skill's travel/booking context, users may supply passport numbers, contact details, itineraries, payment-adjacent information, and visa data, making the combined design more dangerous than generic telemetry.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal