Security audit

Pet Hotel

Security checks across malware telemetry and agentic risk

Overview

This travel-planning skill is mostly purpose-aligned, but it directs automatic global CLI installation and appears to persist raw travel queries locally without clear user control.

Review this skill before installing. Use it only if you are comfortable with a global npm CLI dependency and booking-link-driven travel results. Prefer manually installing or vetting @fly-ai/flyai-cli first, and disable or remove any runbook logging that stores raw travel queries unless you intentionally want that local history retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (4)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill explicitly instructs the agent to install a global npm package (`npm i -g @fly-ai/flyai-cli`) automatically if the command is missing, without requiring user confirmation or establishing package trust. This creates a supply-chain and unauthorized system modification risk, especially because installation changes the host environment and may execute package lifecycle scripts.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The fallback instructs installing a global npm package and immediately executing it, which can modify the host environment and run unreviewed code without explicit user consent or safety disclosure. In an agent skill context, operational instructions like this are risky because they normalize environment-changing shell execution as an automatic recovery step rather than a manual prerequisite.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The runbook explicitly records `user_query` as raw input in an internal execution log, which can capture sensitive personal, travel, payment, identity, or visa-related data without any stated minimization, consent, masking, or retention controls. In a travel skill with support for bookings and visa/insurance workflows, raw queries are especially likely to contain PII and confidential itinerary details, making persistent collection materially risky.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The runbook instructs appending execution logs to a local file, creating persistent storage of operational and potentially sensitive request data without warning, opt-in, or safeguards around permissions, encryption, rotation, or deletion. Because this skill handles travel-related tasks, those logs may accumulate booking intents, identifiers, links, and other trace data that could be exposed to other local processes or retained longer than intended.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.