Back to skill

Security audit

Trip Advisor

Security checks across malware telemetry and agentic risk

Overview

This travel skill is mostly aligned with its purpose, but it tells the agent to install and run an unpinned travel CLI and to keep raw trip requests in a hidden local log.

Review before installing. Use it only if you are comfortable with an agent installing and running the FlyAI/Fliggy CLI, sending trip details to that provider, and potentially writing raw travel requests to a local .flyai-execution-log.json file. Prefer manually approving or preinstalling a trusted pinned CLI version and deleting or disabling the local log if you do not want trip details retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly directs the agent to check for, install, and execute a third-party CLI, but provides no requirement to obtain user consent or disclose that commands will run locally and may send itinerary details to an external service. In an agent setting, this can cause unexpected package installation, command execution, and disclosure of sensitive travel data such as destinations, dates, and possibly booking preferences.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The activation rules use broad phrases like "itinerary" and "travel planning," which can match normal informational conversation rather than an explicit request to run a booking/search tool. That increases the chance the skill will activate unexpectedly and trigger command execution or external queries without clear user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The runbook explicitly records `user_query` as raw input in an internal execution log, but provides no notice, minimization, or retention controls. In a travel-planning skill, users may provide passports, visa details, dates of birth, contact information, or payment-adjacent data, so storing raw prompts creates a meaningful privacy and data-exposure risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The runbook instructs appending execution logs to a local file, which turns transient operational data into persistent at-rest data without warning the user. Because the log schema includes raw input and operational details, disk persistence increases the chance of later disclosure through backups, shared environments, misconfigured permissions, or unintended reuse.

Ssd 3

Medium
Confidence
94% confidence
Finding
Retaining raw natural-language user input creates a leakage channel because prompts often contain sensitive freeform details that are hard to reliably sanitize after collection. In this skill's travel context, that may include itinerary details, legal names, visa status, passport data, and other personal travel information that could later be surfaced or accessed by unauthorized parties.

Ssd 3

Medium
Confidence
95% confidence
Finding
Persisting the generated execution log to disk preserves any sensitive content captured earlier and broadens the exposure window beyond the active request. File-based retention is especially risky in agent environments where logs may be copied, indexed, or inspected by other tools, making accidental data leakage more likely.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.