ClawHub

mid-autumn-flight

Security checks across malware telemetry and agentic risk

Overview

This travel-search skill is mostly coherent, but it requires unapproved local command execution and an unpinned global CLI install before use.

Install only if you trust `@fly-ai/flyai-cli` and are comfortable approving command execution yourself. Do not allow the skill to perform the global npm install automatically; install or run the CLI in a controlled environment if needed, and verify booking links before entering personal or payment information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill explicitly states that only parameters listed in the Parameters table may be used, but later invokes an undocumented `--journey-type` flag. This inconsistency undermines safe execution constraints and can pressure an agent to use unsupported or unreviewed CLI behavior, increasing the chance of unexpected command effects or bypassing validation logic.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to execute an external CLI and forbids answering without it, but provides no user-facing warning or consent flow before running commands. In an agent setting, this can lead to silent local command execution and dependency trust of third-party tooling, which is risky even if the commands appear routine.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill mandates `npm i -g @fly-ai/flyai-cli` when the tool is missing, which modifies the user's environment by globally installing code from an external package registry. Automatic installation without explicit consent or integrity controls creates a supply-chain and environment-tampering risk, especially in broadly compatible agent ecosystems.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The fallback condition '0 results from above playbooks' is underspecified and can cause the broader keyword search to run without clear boundaries on when it should activate. In a booking skill, this increases the chance of unintended invocation paths and overly broad searches, which can return irrelevant results, trigger unnecessary external queries, or bypass the tighter constraints used by the primary playbooks.

Ssd 4

Medium
Confidence
94% confidence
Finding
The opening workflow normalizes command execution as mandatory behavior before serving the user's request, conditioning the agent to prioritize local actions over safety checks. This increases the likelihood that an agent will execute commands reflexively, even when consent, sandboxing, or trust validation are missing.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal