Security audit

Explore Korea

Security checks across malware telemetry and agentic risk

Overview

This Korea travel skill is purpose-aligned, but it can install a global CLI and quietly keep local logs of raw travel requests.

Review before installing. Use this only if you trust @fly-ai/flyai-cli, are comfortable with travel details going to the flyai/Fliggy-backed service, and can prevent or remove .flyai-execution-log.json if you do not want raw trip requests and command history retained locally.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Context-Inappropriate Capability

Low

Confidence: 95% confidence
Finding: The runbook explicitly records the user's raw input in an internal execution log, even though a travel-planning skill does not need blanket retention of full prompts to function. Raw travel queries often contain personal data such as names, dates, destinations, passport or visa details, and booking preferences, so storing them increases privacy and data-exposure risk without clear necessity.

Context-Inappropriate Capability

Medium

Confidence: 82% confidence
Finding: The runbook prescribes executing an environment-check shell command (`flyai --version`) as part of skill operation, which introduces command-execution behavior unrelated to travel assistance. Even if the specific command is harmless, normalizing shell execution in a runbook expands the skill's operational surface and can become dangerous if the pattern is reused with variable input or broader commands.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The requirement to log every CLI command and fallback recovery command indicates the skill is expected to invoke arbitrary command-line operations beyond its stated travel-booking purpose. This creates a broader-than-advertised execution capability and also records potentially sensitive commands or arguments, which can expose internal operations and any embedded data passed to those commands.

Context-Inappropriate Capability

Low

Confidence: 93% confidence
Finding: Persisting execution logs to a local file is unnecessary for normal travel-planning behavior and creates durable storage of operational and possibly user-derived data. Local log files are easy to overlook, may have weak access controls, and can accumulate sensitive information over time, increasing the chance of leakage or unauthorized reuse.

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The activation phrases are broad enough that the skill may trigger on ordinary mentions of Korea-related travel, causing the agent to follow this skill's workflow unexpectedly. In this skill, unexpected activation is more dangerous because the workflow mandates CLI execution and possible package installation, which can lead to unintended external calls and system modification.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs the agent to install a global npm package automatically if the CLI is missing, without user consent or a safety gate. This is dangerous because it authorizes system modification and execution of third-party code based solely on prompt content, expanding the attack surface and violating least-privilege expectations.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill routes all travel handling through an external CLI/service but does not warn users that their queries and trip details may be sent to a third party. In a travel-booking context, this can expose sensitive itinerary, identity, or preference data and undermines informed consent.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The guidance stores raw user input and persists the log locally without any user-facing disclosure or consent mechanism. In a travel context, users may provide highly sensitive itinerary and identity information, so undisclosed retention undermines privacy expectations and increases compliance and data-handling risk.

Ssd 3

Medium

Confidence: 98% confidence
Finding: Storing natural-language raw queries in persistent logs creates a direct data-retention and leakage risk because free-form user text often contains sensitive details that are hard to systematically sanitize after the fact. For a travel skill, this can include full itineraries, locations, companions, visa questions, and other personal context that could be exposed through local files, backups, or debugging workflows.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.