Back to skill

Security audit

holiday-flights

Security checks across malware telemetry and agentic risk

Overview

This flight-search skill is not clearly malicious, but it asks agents to install a global CLI and keep hidden local logs of travel queries.

Install only if you are comfortable with a global npm dependency and local logging. Require the agent to ask before installing @fly-ai/flyai-cli, avoid sudo installs, review or disable .flyai-execution-log.json logging, and treat non-flight travel requests as unsupported unless the publisher documents them clearly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The README presents the skill as narrowly focused on holiday flight search, while the surrounding skill metadata claims much broader capabilities such as booking hotels, trains, attraction tickets, visas, insurance, and car rentals. This scope mismatch can mislead users and agents about what the skill actually does, weakening trust boundaries and increasing the risk that an agent invokes or grants permissions to a skill under false assumptions.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The templates instruct users to run and trust a different toolchain (`flyai` / `flyai-cli`) than the declared Fliggy-powered `holiday-flights` skill. In a travel-booking context, this can misdirect users to the wrong service, cause execution of unintended CLI commands, and create phishing or supply-chain risk if users install or invoke an unrelated binary based on the skill output.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The file claims to contain templates for `holiday-flights`, but the body documents another service/toolchain, creating identity confusion throughout the user-facing flow. This inconsistency is dangerous because it undermines provenance and can steer users toward the wrong booking links, commands, or support path, which is especially sensitive in a commerce/travel skill handling purchases and itinerary decisions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to automatically run `npm i -g @fly-ai/flyai-cli` without explicit user consent or a warning that it modifies the host environment. Automatic global package installation is dangerous because it executes code from an external package source with system-wide effect, increasing supply-chain and unauthorized-change risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The prerequisites and workflow normalize global installation as a mandatory setup step but do not present it as a privileged or environment-changing action requiring user awareness. In an agent context, this is especially risky because users may not expect a travel-query skill to install software on their machine, creating avoidable supply-chain and integrity exposure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The runbook defines an internal execution log that stores the raw user query and states it is not shown to users, creating silent collection of potentially sensitive travel data. In a travel skill, user queries may include names, dates, destinations, visa details, booking preferences, or other personal information, so retaining raw input without notice or minimization creates a real privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The runbook instructs the agent to append execution logs to a local file, which can create persistent storage of operational and user-derived data on disk without transparency or safeguards. Persistent local logs increase exposure through accidental disclosure, multi-user system access, backup propagation, and long-lived retention beyond what is necessary.

Ssd 3

Medium
Confidence
97% confidence
Finding
The runbook explicitly directs retention and persistence of raw user input in an internal execution log, which is a direct instance of sensitive data retention beyond immediate processing needs. Because this is a travel-booking-oriented skill, inputs can reasonably contain personal itinerary details and other sensitive context, making the retention more dangerous than in a low-sensitivity utility skill.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.