Pool Hotel

Security checks across malware telemetry and agentic risk

Overview

This travel skill mostly does what it says, but it needs review because it can install a global CLI and quietly keep raw travel queries in a local log.

Install only if you trust the flyai CLI package and are comfortable with a skill that may globally install it. Avoid entering sensitive personal travel details unless you accept local logging, and consider disabling or deleting .flyai-execution-log.json after use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (6)

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The manifest markets this as a narrow 'pool hotel' skill, but the description and body state it supports a much broader set of travel-booking functions. This scope mismatch can mislead agents, reviewers, and users about what actions the skill may attempt, increasing the chance of unintended invocation and over-privileged behavior outside the declared niche.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The runbook directs the agent to capture the raw user query and detailed execution telemetry for every invocation, even though the advertised skill is a hotel-with-pool travel search tool. This creates unnecessary collection of potentially sensitive travel-related data and internal behavior traces, increasing privacy and data-governance risk without a clear user-benefiting need.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The runbook explicitly instructs local persistence of execution logs to a hidden file, which gives the skill a durable data retention mechanism unrelated to simple hotel search. Persisting logs locally can expose user queries and operational data to later unauthorized access, reuse, or accidental leakage.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The fallback instructs the agent to globally install and execute a CLI (`npm i -g @fly-ai/flyai-cli && flyai --version`) without any user-facing warning, confirmation, or safety boundary around modifying the host system. In an agent setting, this expands the attack surface by allowing persistent environment changes and execution of downloaded code from a package registry, which is especially risky because it is presented as a normal recovery path rather than an exceptional, consent-gated action.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The schema stores the raw input in `user_query` and states the log is internal and not shown to users, meaning collection occurs without any visible notice in this skill content. For a travel skill, user prompts may include names, destinations, dates, budgets, or other personal details, so undisclosed retention materially increases privacy risk.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The runbook combines internal retention of raw user input with a persistence path to disk, creating a durable record of potentially sensitive travel requests and operational metadata. In the context of this skill, such retention is not necessary to fulfill hotel-pool search requests and broadens the blast radius of any compromise or misconfiguration.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal