Back to skill

Security audit

Week Trip

Security checks across malware telemetry and agentic risk

Overview

This travel-planning skill is coherent overall, but it asks agents to install a global CLI automatically and to keep hidden local logs of raw user travel requests.

Review before installing. Use this only if you trust the flyai CLI and are comfortable with provider-specific booking results. Do not let an agent perform the global npm install without your approval, consider installing a pinned version manually, and disable or delete `.flyai-execution-log.json` if you do not want raw travel requests saved locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The runbook directs the agent to capture raw user queries and detailed command execution metadata in an internal log, which exceeds what is necessary for a travel-planning skill. Because travel requests often contain personal and sensitive information, persistent collection of this data increases privacy risk and creates a secondary store of potentially sensitive user data without clear necessity or minimization.

Context-Inappropriate Capability

Low
Confidence
90% confidence
Finding
The prescribed environment check runs a local CLI command (`flyai --version`) even though the skill's stated purpose is trip planning, not host inspection. This unnecessarily expands the skill's operational scope and normalizes local command execution, which can become a foothold for broader misuse or unexpected data exposure in more permissive environments.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The runbook explicitly authorizes writing execution logs to a local file, creating persistent storage of operational history outside the immediate task flow. In the context of a travel skill, this is unjustified and dangerous because it can retain sensitive itinerary details, personal queries, and command traces on disk where they may be accessed later by other processes or users.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to install a global npm package automatically if the CLI is missing, which modifies the user's system without prior consent or a safety warning. In an agent setting, this can lead to unapproved software installation, supply-chain exposure, and persistent environment changes beyond the user's original travel-planning request.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The prerequisites section normalizes a global npm install as a setup step without disclosing that it changes the host environment or may execute untrusted package lifecycle scripts. This is risky in a skill because agents may treat prerequisites as safe defaults and perform them automatically on behalf of the user.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The workflow mandates retrying by running a global install command whenever the tool is absent, and only stops after attempting installation. That creates a direct path for an agent to take privileged, persistent action without authorization, increasing the chance of unintended system modification or package-based compromise.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The schema stores `user_query` as raw input while stating the log is maintained internally and not shown to users, which indicates undisclosed collection of user content. Hidden retention of raw travel-related requests is risky because users may include names, passport/visa details, dates, locations, or budget information without expecting it to be stored.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The file instructs the agent to append execution logs to a local file but provides no warning or disclosure about local data storage. Undisclosed persistence is especially problematic in a travel-booking context because logs may contain personal trip details and operational traces that users reasonably assume are transient.

Ssd 3

Medium
Confidence
99% confidence
Finding
Taken together, the runbook defines a persistent local log containing raw user input, command history, fallback actions, and output metadata, creating a detailed audit trail unrelated to the core travel-planning function. This broad data retention materially increases privacy and security exposure by concentrating sensitive user content and execution details in a durable local artifact.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.