安全决策报告
flyai-transit-tour
Skill declares no permissions but workflow.md requires shell:WRITE for npm install, filesystem access to ~/.flyai/, and contains TLS bypass with undeclared external dependencies.
最直接的威胁证据
高危 文档欺骗
Undeclared shell execution in workflow SKILL.md declares no permissions, but reference/workflow.md requires executing 'npm install -g @fly-ai/flyai-cli@latest' which is shell:WRITE level.
reference/workflow.md:11 为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 4 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 4 个一般风险产物,需要结合上下文判断。
阻止
攻击链与高危发现
报告包含 0 步攻击链,另有 2 项高危或严重发现。
复核
依赖与供应链卫生
发现 1 项需要关注的依赖或供应链线索。
风险分是怎么被拉高的
Undeclared shell execution +20
workflow.md line 11 requires 'npm install -g @fly-ai/flyai-cli@latest' but SKILL.md declares no shell permissions
Undeclared filesystem access +15
user-profile-storage.md accesses ~/.flyai/user-profile.md without declaring filesystem:READ or filesystem:WRITE
Unpinned dependency +5
Uses @fly-ai/flyai-cli@latest with no version pinning in npm install
TLS verification bypass +5
NODE_TLS_REJECT_UNAUTHORIZED=0 disables SSL verification (workflow.md line 17)
最关键的证据
高危 文档欺骗
Undeclared shell execution in workflow
SKILL.md declares no permissions, but reference/workflow.md requires executing 'npm install -g @fly-ai/flyai-cli@latest' which is shell:WRITE level.
reference/workflow.md:11 Add shell:WRITE to declared permissions in SKILL.md frontmatter or remove inline CLI installation.
高危 文档欺骗
Undeclared filesystem access for user profile storage
user-profile-storage.md reads/writes to ~/.flyai/user-profile.md without declaring filesystem:READ or filesystem:WRITE permissions.
reference/user-profile-storage.md:55 Declare filesystem:READ and filesystem:WRITE permissions in SKILL.md for ~/.flyai/ path access.
中危 供应链
Unpinned dependency version
npm install uses @fly-ai/flyai-cli@latest which fetches the latest version without pinning, risking supply chain attacks.
reference/workflow.md:11 Pin to a specific version (e.g., @fly-ai/[email protected]) to ensure reproducible and secure builds.
中危 敏感访问
TLS verification bypass
Workflow instructs to set NODE_TLS_REJECT_UNAUTHORIZED=0 to bypass SSL certificate verification, exposing connections to MITM attacks.
reference/workflow.md:17 Investigate root cause of SSL errors and fix CA certificates rather than disabling verification.
低危 文档欺骗
Reference files contain executable patterns
Reference markdown files contain bash commands that would need to be executed as shell commands if used as scripts.
reference/workflow.md:36 Clearly document whether reference files are documentation or executable scripts.
声明能力 vs 实际能力
命令执行 阻止
声明 NONE
→ 推断 WRITE
reference/workflow.md:11 - npm install -g @fly-ai/flyai-cli 文件系统 阻止
声明 NONE
→ 推断 WRITE
reference/user-profile-storage.md - mkdir -p ~/.flyai, write ~/.flyai/user-profile.md 文件系统 阻止
声明 NONE
→ 推断 READ
reference/user-profile-storage.md - read ~/.flyai/user-profile.md 网络访问 阻止
声明 NONE
→ 推断 READ
reference/workflow.md:11 - downloads CLI from registry.npmjs.org 可疑产物与外联
中危 外部 URL
https://img.alicdn.com/... reference/search-hotel.md:44
中危 外部 URL
https://img.alicdn.com/tfscom/... reference/search-poi.md:32
中危 外部 URL
https://nodejs.org/ reference/workflow.md:19
中危 外部 URL
https://registry.npmmirror.com reference/workflow.md:21
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| @fly-ai/flyai-cli | latest (unpinned) | npm registry.npmjs.org | 否 | No version pinning - could fetch malicious updates |
文件构成
13 个文件 · 1035 行
Markdown 13 个文件 · 1035 行
需关注文件 · 4
reference/workflow.md Undeclared shell execution in workflow · Unpinned dependency version · TLS verification bypass · Reference files contain executable patterns · https://nodejs.org/ · https://registry.npmmirror.com
reference/user-profile-storage.md Undeclared filesystem access for user profile storage
reference/search-poi.md https://img.alicdn.com/tfscom/...
reference/search-hotel.md https://img.alicdn.com/...
其他文件 · SKILL.md · search-flight.md · search-train.md · search-marriott-hotel.md · keyword-search.md · search-marriott-package.md +2
安全亮点
No executable scripts (Python, JS, shell) present - only Markdown documentation
No credential harvesting or environment variable iteration observed
No base64-encoded payloads or obfuscation techniques detected
No sensitive path access (no ~/.ssh, ~/.aws, .env access)
No reverse shell, C2 communication, or data exfiltration patterns
No supply chain typosquatting detected (package name is descriptive)