中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 5/100
Last scan:1 day ago Rescan
5 /100
flyai-reverse-budget
反向穷游助手 — reverse travel planning by budget (input: budget, origin city, days → AI searches all possible destinations and generates 3-tier plans)
This is a pure-documentation skill (14 Markdown files, no executable code) that wraps a legitimate travel planning CLI. No scripts, no dependencies, no obfuscation, and no credential access observed.
Skill Nameflyai-reverse-budget
Duration42.5s
Enginepi
Safe to install
This skill is safe to use. The npm install -g command in workflow.md is a one-time CLI setup step, and NODE_TLS_REJECT_UNAUTHORIZED=0 is a common pattern for internal API tools. No action required beyond standard npm global install awareness.

Findings 1 items

Severity Finding Location
Low
NODE_TLS_REJECT_UNAUTHORIZED=0 disables SSL verification Doc Mismatch
workflow.md instructs to prefix flyai commands with NODE_TLS_REJECT_UNAUTHORIZED=0, disabling TLS certificate verification. This is a known workaround for internal/corporate proxies but weakens security for HTTPS connections to the FlyAI API.
NODE_TLS_REJECT_UNAUTHORIZED=0 flyai keyword-search --query ...
→ Use this workaround only if the FlyAI CLI does not support custom CA certificates. Investigate whether the FlyAI API supports proper TLS configuration instead.
 reference/workflow.md:86
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned reference/user-profile-storage.md reads ~/.flyai/user-profile.md (documented)
Network READ READ ✓ Aligned workflow.md invokes flyai CLI which makes HTTP calls to FlyAI API (documented)
Shell WRITE WRITE ✓ Aligned workflow.md declares npm install -g @fly-ai/flyai-cli (documented CLI setup)
Environment NONE NONE No environment variable access observed
Skill Invoke READ READ ✓ Aligned Uses ask_user_question, search_memory, update_memory tools (documented)
Clipboard NONE NONE No clipboard access
Browser NONE NONE No browser access
Database NONE NONE No database access
4 findings
🔗
Medium External URL 外部 URL
https://img.alicdn.com/...
reference/search-hotel.md:44
🔗
Medium External URL 外部 URL
https://img.alicdn.com/tfscom/...
reference/search-poi.md:32
🔗
Medium External URL 外部 URL
https://nodejs.org/
reference/workflow.md:19
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com
reference/workflow.md:21

File Tree

14 files · 31.7 KB · 1008 lines
Markdown 14f · 1008L
├─ 📁 reference
│ ├─ 📝 ai-search.md Markdown 26L · 659 B
│ ├─ 📝 examples.md Markdown 32L · 998 B
│ ├─ 📝 keyword-search.md Markdown 53L · 1.6 KB
│ ├─ 📝 search-flight.md Markdown 87L · 3.0 KB
│ ├─ 📝 search-hotel.md Markdown 57L · 1.8 KB
│ ├─ 📝 search-marriott-hotel.md Markdown 54L · 1.8 KB
│ ├─ 📝 search-marriott-package.md Markdown 40L · 995 B
│ ├─ 📝 search-poi.md Markdown 47L · 2.2 KB
│ ├─ 📝 search-train.md Markdown 77L · 2.6 KB
│ ├─ 📝 self-learning.md Markdown 19L · 450 B
│ ├─ 📝 tools.md Markdown 34L · 782 B
│ ├─ 📝 user-profile-storage.md Markdown 187L · 4.1 KB
│ └─ 📝 workflow.md Markdown 191L · 7.0 KB
└─ 📝 SKILL.md Markdown 104L · 3.9 KB

Security Positives

✓ Pure Markdown documentation skill — no executable code, scripts, or binaries present
✓ No credential harvesting, no API key theft, no environment variable enumeration
✓ No base64, obfuscation, or anti-analysis techniques
✓ All external tool usage (flyai CLI, npm install) is documented in SKILL.md and reference files
✓ User profile storage is opt-in and clearly documented with user consent
✓ No supply chain risk — no package.json, requirements.txt, or dependency files
✓ No sensitive path access (no ~/.ssh, ~/.aws, .env file access)
✓ No persistence mechanisms, no reverse shell, no C2 communication
✓ All external URLs are Alibaba CDN image links — benign travel content