Back to skill

Security audit

retirement-trip

Security checks across malware telemetry and agentic risk

Overview

This travel skill is not clearly malicious, but it can install a global third-party CLI automatically and may activate for generic trip-planning requests.

Install only if you trust the flyai/Fliggy CLI and are comfortable sending travel details to that service. Prefer pre-installing a reviewed, pinned CLI version yourself, and require explicit approval before any global npm install runs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The skill explicitly states that only parameters listed in the Parameters Table may be used, but later instructs use of an undocumented `--journey-type` flag. This inconsistency can cause agents to execute unsupported or unvalidated commands, weakening guardrails around command construction and increasing the risk of unsafe or erroneous CLI usage.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The activation trigger includes the generic phrase `plan a trip`, which is broad enough to capture many unrelated travel queries. In an agent setting, over-broad activation can route users into this skill unnecessarily, causing unintended command execution paths, misleading outputs, or system modifications tied to this skill's workflow.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The Chinese trigger `出行规划` means general travel planning and is not specific to retirement travel. This can cause accidental activation for broad Chinese-language travel requests, expanding the skill's execution beyond its intended scope and increasing the chance of unnecessary CLI actions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to install a global npm package if the CLI is missing, without requiring user confirmation or warning that the system will be modified. In an autonomous or semi-autonomous environment, this creates a supply-chain and environment-integrity risk because the agent may fetch and install executable code from an external registry automatically.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The fallback workflow performs `npm i -g @fly-ai/flyai-cli` as a recovery step, again without any approval gate or safety notice. This is dangerous because it normalizes autonomous execution of external install commands, which can expose the host to malicious packages, typosquatting, compromised dependencies, or unwanted persistent changes.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs the agent/user to run a global npm install (`npm i -g @fly-ai/flyai-cli`) without any warning that this modifies the host environment, requires elevated trust in a package source, and may be inappropriate in managed or production systems. In an agent context, this is risky because it encourages environment-changing actions as part of normal recovery flow rather than requiring explicit consent or safer alternatives.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This fallback repeats the same global installation command in a standalone recovery section, again normalizing system modification without disclosure of side effects or need for user authorization. Repetition increases the chance an agent treats installation as routine remediation, which can lead to unauthorized package installation, dependency trust issues, and changes to shared environments.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.