Back to skill

Security audit

new-job-relocation

Security checks across malware telemetry and agentic risk

Overview

This travel skill is mostly coherent, but it tells agents to install a global CLI automatically and send trip details to an external booking service without clear user consent.

Install only if you intentionally want agents to use flyai/Fliggy for travel searches. Approve the CLI installation yourself, prefer an isolated environment over a global npm install, and assume trip details you enter may be sent to the external provider before booking links are shown.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The skill explicitly says agents must never invent CLI parameters and may only use flags listed in the parameter table, yet a later playbook uses an undocumented `--journey-type` flag. This inconsistency can cause agents to issue unsupported commands, rely on ambiguous behavior, or normalize bypassing documented constraints, which weakens safety and predictability.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to automatically install a global package (`npm i -g @fly-ai/flyai-cli`) if the CLI is missing, without requiring explicit user consent. This is dangerous because it modifies the host environment, introduces supply-chain risk, and could execute untrusted post-install scripts on the user's system.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill is designed to send user travel details such as origin, destination, and dates to an external booking CLI/service, but it provides no privacy notice or consent flow. This can lead to unannounced disclosure of potentially sensitive itinerary and relocation information to a third party.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The fallback instructions tell the operator to globally install a CLI with `npm i -g`, which modifies the host system and can introduce supply-chain or environment risks if performed blindly. In a skill context, encouraging system-wide installation without warning, least-privilege guidance, or verification steps is unsafe operational guidance even if it is not overtly malicious.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger terms for the cheapest-flight playbook include very broad budget-related words such as "cheap" and "budget", which can appear in many user requests that are not explicit requests to optimize for lowest fare. This can cause the agent to select a price-sorted workflow when the user may prioritize relocation constraints, timing, baggage, or policy compliance, leading to incorrect or suboptimal bookings.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The fastest-route playbook is activated by generic terms like "fast" and "quick", which are ambiguous and may describe the user's desired interaction speed rather than itinerary preference. In a travel-booking skill, this can misroute the request into time-optimized flight search, producing expensive or unsuitable options and increasing the chance of unintended purchases or bad recommendations.

Vague Triggers

Low
Confidence
75% confidence
Finding
The direct-flight playbook includes the trigger "direct", a common everyday term that can appear in unrelated conversational contexts. While the resulting action is less risky than destructive operations, it still creates an intent-confusion path where the agent may force nonstop filtering without clear user authorization, narrowing results and potentially missing acceptable itineraries.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The fallback condition "0 results from above playbooks" is underspecified and immediately expands behavior into both a standard search and a broad keyword search. If upstream playbook execution or result interpretation is noisy, this fallback can activate too often and generate broader, less controlled searches that may ignore user constraints or introduce irrelevant external results into a booking flow.

Ssd 4

Medium
Confidence
96% confidence
Finding
The workflow makes environment checks and automatic CLI installation a mandatory first step before handling the user's request. Embedding system modification into the normal path encourages unsafe default behavior, increasing the chance that agents will alter environments or run external software reflexively.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.