Back to skill

Security audit

food-tour

Security checks across malware telemetry and agentic risk

Overview

This is a real travel-search skill, but it can install and run a third-party CLI, send travel queries to an external service, and persist raw interaction logs without enough user control or privacy disclosure.

Review before installing. Use this skill only if you are comfortable with a global npm CLI install, third-party travel-search requests to flyai/Fliggy, and possible local execution logs. Avoid entering passport numbers, payment details, private booking references, or sensitive itinerary information unless the provider’s privacy and retention practices are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Missing User Warnings

Low
Confidence
91% confidence
Finding
The README states the skill provides real-time travel data and booking links, which implies outbound network access and interaction with third-party services, but it does not clearly warn users about those external interactions. In a travel-booking skill this behavior is expected, so the issue is primarily a transparency and consent problem rather than a hidden high-risk exploit, but it can still lead users to unknowingly trigger external requests or booking flows.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The activation trigger includes broad, everyday phrases such as 'where to eat' and '吃什么', which can cause the skill to activate on many general conversational queries that are not clearly asking for this tool. Over-broad activation increases the chance of inappropriate tool use, unnecessary external calls, and accidental disclosure of user travel intent or query data to the downstream CLI/service.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill description is very broad, covering food tours plus flights, hotels, trains, visas, insurance, car rental, and more, while the activation logic only keys off a small set of food-related phrases. This mismatch creates ambiguous routing boundaries and can cause the skill to be invoked in contexts beyond what its trigger logic safely and predictably governs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The runbook explicitly records `user_query` as raw input in an internal execution log, which can capture sensitive personal, financial, travel, or visa-related data entered by users. Because the skill also handles bookings and travel planning, storing raw prompts without notice or minimization increases privacy, retention, and downstream disclosure risk if logs are accessed, shared, or breached.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The runbook instructs appending execution logs to a local file, which creates durable storage of interaction data and operational traces without any user warning, retention limit, or protection requirements. Persistent file-based logs materially increase exposure because data may remain on disk, be backed up, or be readable by other processes or operators.

Ssd 3

Medium
Confidence
96% confidence
Finding
This runbook combines raw `user_query`, detailed step-by-step commands, fallback actions, and output metadata in a persistent internal log, creating a broad natural-language audit trail that may contain sensitive travel details and operational information. In a travel-booking skill, users may provide passport, visa, location, itinerary, or payment-adjacent details, so retaining full traces increases the chance of privacy leakage and secondary misuse.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.