Back to skill

Security audit

Breakfast Hotel

Security checks across malware telemetry and agentic risk

Overview

This hotel-search skill is purpose-aligned, but it needs review because it can auto-install a global CLI and keep raw travel queries in a local log.

Review before installing. Only use this skill if you are comfortable approving the flyai CLI install yourself, sharing travel search details with that CLI, and managing or deleting .flyai-execution-log.json if you do not want searches retained locally. Static scan was clean and VirusTotal was pending, so the review bucket is based on the artifact instructions, not malware telemetry.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to install and run a global CLI tool without any user-facing warning or confirmation step. This is dangerous because installing global npm packages modifies the host environment and may execute package lifecycle scripts, creating unnecessary supply-chain and system-change risk in response to a normal travel query.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The prerequisites section normalizes a global npm install as part of ordinary skill use, but does not disclose that this alters system state. In an agent setting, that can cause silent package installation, PATH changes, and execution of untrusted third-party code from the npm ecosystem.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The fallback workflow directs the agent to automatically perform a global install when `flyai` is missing, with no confirmation gate. That makes the skill more dangerous because a simple missing-command condition turns into autonomous software installation and execution on the user's machine.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The runbook explicitly directs the agent to capture and retain `user_query` as raw input in an internal execution log. Raw travel queries can contain personal or sensitive data such as names, dates, destinations, booking references, and other itinerary details, so storing them without notice, minimization, or retention controls creates a privacy and data exposure risk if logs are later accessed, copied, or exfiltrated.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file instructs unconditional persistence of execution logs to `.flyai-execution-log.json`, which can create a local data-at-rest exposure without informing the user. Because the same log schema includes raw queries and operational details, this file write can silently accumulate sensitive information on disk and broaden the attack surface to other local users, processes, backups, or sync tools.

Ssd 3

Medium
Confidence
97% confidence
Finding
The runbook defines a detailed execution log containing raw input, CLI commands, fallback actions, statuses, and output metadata, then permits persistent storage. In a travel-booking context, these logs may reveal sensitive personal behavior and booking activity, and the combination of detailed telemetry plus raw input increases the chance of privacy violations, accidental disclosure, and secondary misuse.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.