Missing User Warnings
Medium
- Confidence
- 98% confidence
- Finding
- The skill instructs the agent to globally install and execute a package (`npm i -g @fly-ai/flyai-cli`) automatically if the binary is missing, without explicit user confirmation or trust verification. This creates a supply-chain and arbitrary-code-execution risk, because package installation scripts and the installed CLI run with the user's privileges and could alter the host environment.
