Back to skill

Security audit

explore-philippines

Security checks across malware telemetry and agentic risk

Overview

This travel-search skill is not malicious, but it should be reviewed because it can automatically install and run an unpinned global CLI package for ordinary travel queries.

Install only if you are comfortable with an agent adding a global npm package and sending travel search details through FlyAI/Fliggy. Before use, require confirmation before any install or networked search, prefer a pinned package version, and review the exact command parameters.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The skill explicitly says agents must never invent CLI parameters and may only use flags listed in the parameter table, yet the Direct Route playbook uses an undocumented `--journey-type` flag. This creates an instruction conflict that can cause agents to guess behavior or execute an unsupported command path, undermining safe and predictable tool use.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Using a broad trigger like `discover` can cause the skill to activate on many unrelated conversations, which increases the chance the agent follows this skill's install-and-execute workflow when the user did not intend it. In this context, over-triggering is more dangerous because activation leads to command execution and possible package installation.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill instructs the agent to install `@fly-ai/flyai-cli` globally with npm and then execute it, without requiring explicit user consent or warning about system modification. This is dangerous because it converts a normal travel query into software installation and code execution from an external package repository, expanding the attack surface significantly.

Ssd 4

Medium
Confidence
99% confidence
Finding
The mandatory workflow forces an environment check, then a global npm install, then command execution before serving the user request. This stepwise coercion is risky because it pressures the agent into privileged system changes and third-party code execution as a prerequisite for answering, even when safer alternatives or user confirmation are absent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.