Security audit

Rafting Spots

Security checks across malware telemetry and agentic risk

Overview

This rafting travel skill appears purpose-aligned overall, but it asks agents to install a global CLI automatically and to keep under-disclosed logs of user travel queries.

Review before installing. Use it only if you are comfortable with a global flyai CLI dependency and with travel requests potentially being logged locally. Avoid entering passport numbers, payment details, confirmation codes, or sensitive personal information, and check for `.flyai-execution-log.json` if you do not want retained query logs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The runbook explicitly instructs persistent storage of execution logs that can contain raw user queries, CLI commands, fallback actions, and operational metadata. For a travel-discovery skill, this data collection and retention is broader than necessary and creates avoidable privacy and sensitive-data exposure risk if logs are accessed, leaked, or reused improperly.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs the agent to globally install `@fly-ai/flyai-cli` with `npm i -g`, which modifies the host environment and executes package installation code without any user warning, confirmation, or safer alternative. In an agent setting, this can lead to unreviewed system changes, supply-chain exposure, and persistence beyond the current task.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The prerequisites section again directs a global npm install without disclosing that it alters the system environment and runs third-party install scripts. Because the skill frames installation as mandatory before answering, it increases the chance an agent will perform unsafe environment modification automatically.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The schema captures the user's raw input in an internal log without any indication of notice, consent, or minimization. In a travel skill, user queries may contain personal travel plans, names, locations, contact details, or booking-related information, making undisclosed retention materially risky from both privacy and compliance perspectives.

Ssd 3

Medium

Confidence: 95% confidence
Finding: Retaining the user's raw input in an internal execution log increases the chance that sensitive personal or travel-related information is stored beyond the immediate transaction. Because this skill supports broader travel functions such as flights, hotels, and insurance, the logged content may be especially sensitive and more damaging if exposed.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The runbook directs appending execution logs to a local file, creating persistent storage of user content and command history. Persistent local logs increase the attack surface for unauthorized access, accidental inclusion in support bundles or repositories, and long-term retention of data unrelated to the skill's core function.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal