Scan Report
10 /100
flyai-companion-match
同行人适配推荐助手,根据同行人特征(老人、小孩、闺蜜等)智能筛选目的地景点。调用FlyAI获取景点数据,结合同行人画像自动过滤,推荐适合所有同行人的景点和玩法。
This is a pure-documentation travel companion matching skill that provides prompt instructions for AI agents, with no executable code — all shell execution, filesystem access, and network behavior are explicitly documented and directly tied to the declared FlyAI CLI tool functionality.
Safe to install
Approve for use. All resource usage is documented, relevant, and necessary for the skill's stated purpose. Consider pinning the npm package version in production deployments to avoid supply-chain risk from unpinned @latest.
Findings 2 items
| Severity | Finding | Location |
|---|---|---|
| Low | Unpinned npm package version Supply Chain | SKILL.md:75 |
| Low | TLS certificate verification disabled for flyai CLI Doc Mismatch | SKILL.md:93 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ,WRITE | READ,WRITE | ✓ Aligned | SKILL.md (mkdir ~/.flyai, cat/read_file ~/.flyai/user-profile.md, write user pro… |
| Shell | WRITE | WRITE | ✓ Aligned | SKILL.md '前置步骤': npm install -g @fly-ai/flyai-cli@latest, flyai search-poi, flya… |
| Network | NONE | NONE | — | No direct HTTP requests; network traffic only occurs transitively through the fl… |
| Environment | NONE | NONE | — | No iteration over os.environ; NODE_TLS_REJECT_UNAUTHORIZED is an ad-hoc env var … |
| Skill Invoke | READ | READ | ✓ Aligned | SKILL.md describes read order: search_memory → read_file as fallback; no undecla… |
| Clipboard | NONE | NONE | — | Not referenced anywhere in the skill |
| Browser | NONE | NONE | — | Not referenced; URLs in output (jumpUrl fields) are informational only |
| Database | NONE | NONE | — | No database access; Qoder Memory (search_memory/update_memory) is not a database… |
3 findings
Medium External URL 外部 URL
https://nodejs.org/ SKILL.md:124 Medium External URL 外部 URL
https://img.alicdn.com/... reference/search-hotel.md:44 Medium External URL 外部 URL
https://img.alicdn.com/tfscom/... reference/search-poi.md:32 File Tree
12 files · 29.9 KB · 981 lines Markdown 12f · 981L
├─
▾
reference
│ ├─
ai-search.md
Markdown
│ ├─
examples.md
Markdown
│ ├─
keyword-search.md
Markdown
│ ├─
search-flight.md
Markdown
│ ├─
search-hotel.md
Markdown
│ ├─
search-marriott-hotel.md
Markdown
│ ├─
search-marriott-package.md
Markdown
│ ├─
search-poi.md
Markdown
│ ├─
search-train.md
Markdown
│ ├─
tools.md
Markdown
│ └─
user-profile-storage.md
Markdown
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
@fly-ai/flyai-cli | @latest (unpinned) | npm | No | Version not pinned; resolves to latest at install time |
Security Positives
✓ No executable scripts or code — skill is 100% Markdown documentation
✓ All shell commands are explicitly declared and directly tied to the core FlyAI CLI functionality
✓ Filesystem access is scoped to a single user-specific path (~/.flyai/user-profile.md) with clear purpose
✓ No credential harvesting, API key scanning, or environment variable enumeration
✓ No obfuscation, base64 payloads, or hidden instructions in HTML comments
✓ No supply-chain indicators beyond the @latest npm tag (minor)
✓ User profile storage is fully documented with a legitimate dual-mode fallback pattern
✓ No C2 communication, reverse shells, or data exfiltration behavior
✓ No sensitive paths (~/.ssh, ~/.aws, .env) are accessed
✓ Skill name and branding are consistent with documented functionality — no masquerading