Back to skill

Security audit

Zoo Aquarium

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent travel-search purpose, but it can automatically install a global CLI and quietly persist raw user queries in a local log.

Review before installing. Only allow the global npm install if you trust `@fly-ai/flyai-cli`, avoid entering sensitive personal travel details, and check or delete `.flyai-execution-log.json` if the skill is used. Prefer approving CLI execution only for explicit zoo, aquarium, safari, or attraction-search requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The activation terms include broad everyday words like "animals" and "wildlife," which can cause the skill to trigger on unrelated conversations. Because this skill then instructs the agent to install and run a CLI, unintended activation could lead to unnecessary command execution or package installation in contexts that were not asking for travel booking help.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The runbook explicitly logs `user_query` as raw input and records every CLI command/status in an internal execution log, while also stating the log is not shown to users. This creates a real privacy and retention risk because sensitive user-provided travel details or booking data may be captured and stored without notice, minimization, or redaction.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The runbook instructs appending execution logs to a local file using `echo '{generation_log_json}' >> .flyai-execution-log.json`, which can persist user-linked operational data to disk. Because the same log schema includes raw input and command history, file persistence increases exposure through local compromise, accidental inclusion in artifacts, backups, or overly broad access permissions.

Ssd 3

Medium
Confidence
95% confidence
Finding
Persistently logging `user_query` captures arbitrary natural-language input, which often contains personal, financial, itinerary, or location data in travel-related skills. Retaining this text creates a meaningful data leakage and privacy risk because free-form input is hard to sanitize reliably and may later be accessed by operators, other processes, or leaked through logs.

Ssd 3

Medium
Confidence
94% confidence
Finding
The rules require logging on every trigger and describe persisting execution logs, which institutionalizes routine retention of potentially sensitive data instead of making it exceptional and controlled. In this skill's travel/booking context, user inputs may include destinations, dates, identity details, booking preferences, and other sensitive operational data, making blanket retention more dangerous.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.