Back to skill

Security audit

Budget Backpacker

Security checks across malware telemetry and agentic risk

Overview

This travel skill has a clear purpose, but it can automatically install a global third-party CLI and quietly save raw travel queries locally.

Review before installing. Use this only if you are comfortable with an agent running flyai commands, possibly installing `@fly-ai/flyai-cli` globally, sending travel details to that provider, and creating `.flyai-execution-log.json` with raw queries. Prefer manual installation, sandboxed execution, and disabling or deleting the local execution log.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to install and run a global npm package (`npm i -g @fly-ai/flyai-cli`) and treats that execution path as mandatory, but it provides no user-facing warning that this modifies the system and executes third-party code. In an agent setting, this can lead to silent package installation, supply-chain exposure, and unexpected host changes without informed user consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill routes all travel queries through an external `flyai` CLI and forbids answering without it, yet it does not warn users that their prompts, travel plans, dates, and locations may be transmitted to a third-party provider. This creates a privacy and data-governance risk because users may disclose sensitive itinerary or personal travel information without meaningful notice or consent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The runbook explicitly defines an internal execution log that captures the raw user query and operational metadata. Because this skill handles travel and booking-related requests that can contain personal, financial, passport, visa, or itinerary details, retaining raw input without clear minimization, redaction, or disclosure creates a real privacy and data-retention risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The file instructs the agent to append execution logs to a local file whenever filesystem writes are available, but provides no safeguards around user notice, encryption, permissions, or retention. Local persistent logs can be read later by other processes, operators, or attackers, turning transient travel queries into durable sensitive records.

Ssd 3

Medium
Confidence
96% confidence
Finding
Taken together, the schema stores raw natural-language user input and prescribes persistence to a local JSON log, which materially increases leakage risk from debugging artifacts. In this travel-booking context, queries may include names, passport/visa details, dates, destinations, budgets, and booking preferences, making the retained text potentially sensitive and more dangerous than generic telemetry.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.