Security audit

food-travel

Security checks across malware telemetry and agentic risk

Overview

This is a food-travel planning skill that uses external search and travel lookup results in a disclosed, purpose-aligned way, with normal caution around third-party links.

Before installing, confirm that you trust the flyai tool/provider in your environment and review any external booking links or images before clicking. Avoid sharing unnecessary sensitive travel or identity details unless needed for a specific lookup.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 87% confidence
Finding: The skill instructs the agent to always include booking links and images pulled from external search or travel results, but provides no requirement to label them as third-party destinations or warn the user before navigation. This can expose users to unvetted external content, affiliate-style redirects, tracking, or misleading booking pages, especially because the skill is explicitly travel-commerce oriented and encourages repeated link presentation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.