Security audit

early-bird-flight

Security checks across malware telemetry and agentic risk

Overview

This flight-search skill is mostly coherent, but it can make an agent globally install and run an unpinned third-party travel CLI without a clear user approval gate.

Review before installing. Only use this skill if you trust the `@fly-ai/flyai-cli` package and are comfortable sharing flight-search details with the travel provider. Do not allow the global npm install unless you explicitly approve that system change; a pinned or sandboxed install would be safer.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Intent-Code Divergence

High

Confidence: 95% confidence
Finding: The skill explicitly says agents must never invent CLI parameters and only use documented flags, yet later instructs use of undocumented `--journey-type`. This contradiction encourages execution of unverified command options, increasing the chance of unsafe behavior, hidden functionality use, or accidental invocation of unsupported code paths in the external CLI.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The activation trigger includes the generic phrase `book a flight`, which greatly broadens when the skill will take over. In an agent environment, over-broad activation can route unrelated travel requests into a workflow that enforces CLI execution and possible package installation, creating unnecessary exposure to external tools and side effects.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The manifest markets many unrelated travel services plus `and more`, making the operational scope ambiguous. Ambiguous scope increases the chance an orchestrator or user will invoke this skill for requests beyond its vetted behavior, which can lead to improper tool use, over-collection of parameters, or unexpected actions.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill mandates installing a global npm package (`npm i -g @fly-ai/flyai-cli`) if the tool is missing, without user consent or safety gating. Automatic environment modification is dangerous because it executes supply-chain-dependent code, changes host state, and may occur in sensitive runtime contexts where installation should never be implicit.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.