Back to skill

Security audit

military-leave

Security checks across malware telemetry and agentic risk

Overview

This travel-booking skill has a coherent purpose, but it tells agents to automatically install an unpinned global npm CLI and can activate too broadly.

Install only if you trust `@fly-ai/flyai-cli` and are comfortable sending route, date, and travel preferences to that travel provider. Prefer manually installing a pinned version in an isolated environment, and do not let the agent run the global npm install automatically unless you have reviewed and approved it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The skill explicitly says agents must never invent CLI parameters, but later instructs use of `--journey-type 1`, which is not listed in the Parameters table. This creates an instruction inconsistency that can cause agents to invoke unsupported flags, producing unpredictable behavior or encouraging command improvisation beyond documented interfaces.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrase list includes the broad Chinese phrase `出行预订` ('travel booking'), which overlaps with many ordinary travel requests unrelated to military leave. That can cause this skill to activate outside its intended scope and route users into external CLI execution and booking flows unnecessarily.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs the agent to install and run an external CLI tool, including global npm installation, without requiring any user disclosure, consent, or safety warning. In an agent environment, this can lead to unreviewed software installation and execution based solely on prompt-triggered content.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger terms "cheap" and "budget" are very common in normal travel conversations, so this playbook can be activated unintentionally during unrelated or only loosely related requests. In a travel-booking skill, overly broad activation can route users into the wrong workflow, causing misleading search behavior, incorrect prioritization of results, or unintended downstream tool usage.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger terms "fast" and "quick" are ambiguous and commonly appear in everyday requests, making accidental activation likely. In this skill, that can cause the agent to choose a fastest-route workflow even when the user intended a different action, increasing the chance of incorrect search results and unnecessary tool invocation.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The fallback condition "0 results from above playbooks" is underspecified and lacks clear invocation constraints, so the skill may broaden searches or invoke keyword search in situations the user did not explicitly authorize. Because the fallback includes a free-form keyword search built from origin and destination, ambiguous activation can expand the skill's behavior beyond the user's intended workflow and increase the risk of noisy, misleading, or unintended results.

Ssd 4

Medium
Confidence
97% confidence
Finding
The workflow creates a trust-and-action chain: verify a command, install a package if missing, then depend entirely on that tool's output, all without validating tool authenticity, package integrity, or output safety. This is dangerous because adversarial or compromised packages can gain code execution, and their output can be blindly surfaced to users as authoritative booking data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.