Seats Aero
v0.1.0Search award flight availability across 24 mileage programs, including business and first class, with detailed route and booking info via seats.aero API.
⭐ 1· 1.7k·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
SKILL.md clearly describes a seats.aero partner API client for searching award availability — that aligns with the skill name. The package metadata lacks a description, but the runtime instructions match the advertised purpose. Minor mismatch: SKILL.md references helper code (scripts/seats_api.py) and a reference file (references/api-spec.md) that are not present in the bundle, suggesting incomplete packaging or expectation of external code.
Instruction Scope
Instructions are narrowly scoped to calling seats.aero partner endpoints (search, availability, routes, trips) and prompt the user for an API key. Concerns: (1) the skill directs storing the API key in conversation context for subsequent requests — this can lead to the key persisting in chat logs unless the platform provides secure secret handling; (2) the instructions reference local helper scripts and docs that are not included, which could cause the agent to attempt to synthesize or fetch code from elsewhere or mislead the operator about available tooling.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. Nothing is downloaded or written to disk by an installer in the package itself.
Credentials
The skill requests an API key at runtime (Partner-Authorization header) which is proportionate to the declared API integration. However, the package declares no required environment variables or primary credential despite requiring an API key; combined with the instruction to store keys in conversation context, this raises a modest risk that secrets will be handled insecurely (logged, retained in transcripts, or reused without explicit consent).
Persistence & Privilege
always:false and no config paths or system modifications are requested. The skill can be invoked autonomously (platform default), but it does not ask for elevated persistence or system-level privileges.
What to consider before installing
This skill appears to be a straightforward seats.aero partner API client, but it has gaps you should understand before installing: (1) The SKILL.md references helper scripts (scripts/seats_api.py) and a local API spec (references/api-spec.md) that are not included in the package — ask the publisher whether those files are intentionally omitted or where they are hosted. (2) The skill asks you to provide your seats.aero API key and instructs the agent to 'store the key in conversation context' — verify how the platform stores and protects secrets (do not paste keys into public chat or logs). Prefer using the platform's secure secret/storage mechanism or declaring the key as a required secret in the skill manifest. (3) Confirm the exact endpoints and booking links returned by the API before following any links. If you proceed, supply the API key only after confirming secure handling, and request the missing helper code or implementation details from the publisher. If the publisher cannot justify the missing files or secret-handling approach, treat the skill as incomplete and avoid sharing credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk97d63pybcvb0vrgzsxnve814980jwqg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.