Skill Trust Decision

flyai-transit-tour

Name: flyai-transit-tour Trust Review Report
Item: flyai-transit-tour
Rating: 55
Author: ClawSafe

Skill declares no permissions but workflow.md requires shell:WRITE for npm install, filesystem access to ~/.flyai/, and contains TLS bypass with undeclared external dependencies.

Install decision first Source: Manual upload Scanned: Apr 3, 2026

Files 13

Artifacts 4

Violations 4

Findings 5

Most direct threat evidence

High Doc Mismatch

Undeclared shell execution in workflow

SKILL.md declares no permissions, but reference/workflow.md requires executing 'npm install -g @fly-ai/flyai-cli@latest' which is shell:WRITE level.

reference/workflow.md:11

Why this conclusion was reached

2/4 dimensions flagged

Block

Declared vs actual capability

4 undeclared or violating capabilities were inferred.

Review

Hidden execution and egress

4 lower-risk artifacts were extracted and still need context.

Block

Attack chain and severe findings

The report includes 0 attack-chain steps and 2 severe findings.

Review

Dependencies and supply chain hygiene

1 dependency or supply-chain issues need attention.

What drove the risk score up

Undeclared shell execution +20

workflow.md line 11 requires 'npm install -g @fly-ai/flyai-cli@latest' but SKILL.md declares no shell permissions

Undeclared filesystem access +15

user-profile-storage.md accesses ~/.flyai/user-profile.md without declaring filesystem:READ or filesystem:WRITE

Unpinned dependency +5

Uses @fly-ai/flyai-cli@latest with no version pinning in npm install

TLS verification bypass +5

NODE_TLS_REJECT_UNAUTHORIZED=0 disables SSL verification (workflow.md line 17)

Most important evidence

High Doc Mismatch

Undeclared shell execution in workflow

SKILL.md declares no permissions, but reference/workflow.md requires executing 'npm install -g @fly-ai/flyai-cli@latest' which is shell:WRITE level.

reference/workflow.md:11

Add shell:WRITE to declared permissions in SKILL.md frontmatter or remove inline CLI installation.

High Doc Mismatch

Undeclared filesystem access for user profile storage

user-profile-storage.md reads/writes to ~/.flyai/user-profile.md without declaring filesystem:READ or filesystem:WRITE permissions.

reference/user-profile-storage.md:55

Declare filesystem:READ and filesystem:WRITE permissions in SKILL.md for ~/.flyai/ path access.

Medium Supply Chain

Unpinned dependency version

npm install uses @fly-ai/flyai-cli@latest which fetches the latest version without pinning, risking supply chain attacks.

reference/workflow.md:11

Pin to a specific version (e.g., @fly-ai/[email protected]) to ensure reproducible and secure builds.

Medium Sensitive Access

TLS verification bypass

Workflow instructs to set NODE_TLS_REJECT_UNAUTHORIZED=0 to bypass SSL certificate verification, exposing connections to MITM attacks.

reference/workflow.md:17

Investigate root cause of SSL errors and fix CA certificates rather than disabling verification.

Low Doc Mismatch

Reference files contain executable patterns

Reference markdown files contain bash commands that would need to be executed as shell commands if used as scripts.

reference/workflow.md:36

Clearly document whether reference files are documentation or executable scripts.

Declared capability vs actual capability

Shell Block

Declared NONE

→

Inferred WRITE

reference/workflow.md:11 - npm install -g @fly-ai/flyai-cli

Filesystem Block

Declared NONE

→

Inferred WRITE

reference/user-profile-storage.md - mkdir -p ~/.flyai, write ~/.flyai/user-profile.md

Filesystem Block

Declared NONE

→

Inferred READ

reference/user-profile-storage.md - read ~/.flyai/user-profile.md

Network Block

Declared NONE

→

Inferred READ

reference/workflow.md:11 - downloads CLI from registry.npmjs.org

Suspicious artifacts and egress

Medium External URL

https://img.alicdn.com/...

reference/search-hotel.md:44

Medium External URL

https://img.alicdn.com/tfscom/...

reference/search-poi.md:32

Medium External URL

https://nodejs.org/

reference/workflow.md:19

Medium External URL

https://registry.npmmirror.com

reference/workflow.md:21

Dependencies and supply chain

Package	Version	Source	Known vuln	Notes
@fly-ai/flyai-cli	`latest (unpinned)`	npm registry.npmjs.org	No	No version pinning - could fetch malicious updates

File composition

13 files · 1035 lines

Markdown 13 files · 1035 lines

Files of concern · 4

reference/workflow.md Markdown · 279 lines

Undeclared shell execution in workflow · Unpinned dependency version · TLS verification bypass · Reference files contain executable patterns · https://nodejs.org/ · https://registry.npmmirror.com

reference/user-profile-storage.md Markdown · 187 lines

Undeclared filesystem access for user profile storage

reference/search-poi.md Markdown · 47 lines

https://img.alicdn.com/tfscom/...

reference/search-hotel.md Markdown · 57 lines

https://img.alicdn.com/...

Other files · SKILL.md · search-flight.md · search-train.md · search-marriott-hotel.md · keyword-search.md · search-marriott-package.md +2

Security positives

No executable scripts (Python, JS, shell) present - only Markdown documentation

No credential harvesting or environment variable iteration observed

No base64-encoded payloads or obfuscation techniques detected

No sensitive path access (no ~/.ssh, ~/.aws, .env access)

No reverse shell, C2 communication, or data exfiltration patterns

No supply chain typosquatting detected (package name is descriptive)