Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Flights
v1.2.0Search flights via Google Flights. Find nonstop/connecting flights, filter by time and cabin class, get booking links. Supports city names (NYC, London, Toky...
⭐ 1· 2.4k·4 current·4 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to provide a bundled CLI at scripts/flights-search within the skill directory, but the package contains no code files—only SKILL.md. That is a direct mismatch between what the skill says it contains and what is present. Other capability claims (using Python + fast-flights to query Google Flights data) are plausible, but the missing bundled script is a substantive coherence problem.
Instruction Scope
Runtime instructions tell the agent/user to install an external tool (uv) via a remote installer (curl ... | sh), to use uvx to pull the fast-flights library, and to run a local scripts/flights-search CLI that does not actually exist in the skill bundle. The instructions do not ask for credentials or unrelated system data, but they do instruct running remote installers and fetching code at runtime and rely on a reverse‑engineered Google Flights protobuf API (which may have TOS/legal implications).
Install Mechanism
There is no formal install spec in the registry; instead SKILL.md recommends running an external shell installer from https://astral.sh (curl | sh) and relying on uvx to fetch the fast-flights package. Downloading and executing a remote install script is higher risk because it executes code fetched from an external server. The alternative pip install path (pip install fast-flights) is safer but still pulls third-party code at runtime.
Credentials
The skill declares no required environment variables, credentials, or config paths, and the instructions do not request additional secrets. There is no disproportionate credential access.
Persistence & Privilege
The skill does not request persistent or elevated privileges in the registry metadata (always:false). It is user-invocable and allows normal autonomous invocation (the platform default), but it does not declare any unusual persistence or cross-skill configuration changes.
What to consider before installing
Do not run remote installers or execute unfamiliar scripts without review. Specific issues to consider before installing or running this skill:
- The SKILL.md says a scripts/flights-search CLI is bundled, but the published package contains no code—so the provided commands will likely fail or will cause you to fetch code from external sources at runtime.
- The instructions recommend running a remote installer via curl | sh (astral.sh); that fetches and runs code from the internet and can execute arbitrary commands on your machine. Prefer installing known packages via your package manager or pip after inspecting their source.
- The tool relies on a third‑party Python package (fast-flights) that uses a reverse‑engineered Google Flights protobuf API. That may work but could break, and could violate Google’s terms of service; review the fast-flights project source and its network behavior before using.
- If you still want to try it: inspect the fast-flights repository and any install scripts (astral.sh/uv installer) manually, avoid piping unknown shells to sh, and prefer pip install fast-flights in a contained environment (virtualenv or container). If you need stronger assurance, ask the publisher for the missing scripts or a signed release and for clarity on why the CLI is not bundled in the package.
Reason for confidence: medium — no code files were present to inspect, so the assessment relies on the SKILL.md text; concrete mismatches (missing bundled CLI + remote installer) make this suspicious but not definitively malicious.Like a lobster shell, security has layers — review code before you run it.
latestvk97arjg757jk1ra45q1aaha04x81vxd8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.