FlyClaw (Flight N-in-1 Search Zero Login)

Security checks across malware telemetry and agentic risk

Overview

FlyClaw appears to be a real flight-search tool, but its default Fliggy integration quietly creates a persistent device identifier and sends device/context metadata despite broad privacy claims.

Review before installing. Use an isolated Python environment, pin dependencies if possible, and consider disabling the Fliggy source in config.yaml unless you are comfortable with a persistent device ID and device/context metadata being sent to Fliggy during searches.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill advertises broad operational behavior including network access, local file/cache handling, and even references to MCP-related components, but it declares no permissions. This creates a transparency and consent problem: hosts or users may execute a skill with more capability than they expect, especially since the documentation explicitly mentions cache files, config files, and remote data retrieval. In a security review, undeclared capabilities are a real risk because they weaken sandboxing assumptions and make policy enforcement harder.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The documentation makes strong trust-signaling claims like 'zero API key', 'no browser', and purely public-data querying, while the analyzed behavior reportedly includes optional API-key integrations, remote metadata downloads that can overwrite local files, and optional browser-based/extra tooling paths. That mismatch is dangerous because users and platforms may rely on the declared behavior when deciding whether to install or sandbox the skill; hidden or understated capabilities can enable unexpected external communication and local state changes. The risk is amplified here because the skill is explicitly positioned as low-friction and safe, which may reduce user scrutiny.

Unpinned Dependencies

Low

Category: Supply Chain
Content: requests>=2.28.0 pyyaml>=6.0 curl_cffi>=0.5.0 flights>=0.7.0
Confidence: 93% confidence
Finding: requests>=2.28.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: requests>=2.28.0 pyyaml>=6.0 curl_cffi>=0.5.0 flights>=0.7.0 cryptography>=42.0.0
Confidence: 94% confidence
Finding: pyyaml>=6.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: requests>=2.28.0 pyyaml>=6.0 curl_cffi>=0.5.0 flights>=0.7.0 cryptography>=42.0.0 # Optional: mcp>=1.26.0 (MCP backend for Skiplagged, enable via mcp_enabled: true)
Confidence: 95% confidence
Finding: curl_cffi>=0.5.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: requests>=2.28.0 pyyaml>=6.0 curl_cffi>=0.5.0 flights>=0.7.0 cryptography>=42.0.0 # Optional: mcp>=1.26.0 (MCP backend for Skiplagged, enable via mcp_enabled: true) # Optional: fast-flights>=3.0rc0 (--compare)
Confidence: 89% confidence
Finding: flights>=0.7.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: pyyaml>=6.0 curl_cffi>=0.5.0 flights>=0.7.0 cryptography>=42.0.0 # Optional: mcp>=1.26.0 (MCP backend for Skiplagged, enable via mcp_enabled: true) # Optional: fast-flights>=3.0rc0 (--compare) # Optional: playwright (--compare --browser)
Confidence: 92% confidence
Finding: cryptography>=42.0.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High

Category: Supply Chain
Confidence: 90% confidence
Finding: requests

Known Vulnerable Dependency: pyyaml — 8 advisory(ies): CVE-2019-20477 (Deserialization of Untrusted Data in PyYAML); CVE-2020-1747 (Improper Input Validation in PyYAML); CVE-2020-14343 (Improper Input Validation in PyYAML) +5 more

Critical

Category: Supply Chain
Confidence: 97% confidence
Finding: pyyaml

Known Vulnerable Dependency: curl_cffi — 2 advisory(ies): GHSA-3vpc-4p9p-47hc (curl_cffi bundles a version of libcurl affected by High Severity vulnerability); CVE-2026-33752 (curl_cffi: Redirect-based SSRF leads to internal network access in curl_cffi (wi)

High

Category: Supply Chain
Confidence: 95% confidence
Finding: curl_cffi

Known Vulnerable Dependency: cryptography — 10 advisory(ies): GHSA-39hc-v87j-747x (Vulnerable OpenSSL included in cryptography wheels); CVE-2023-50782 (Python Cryptography package vulnerable to Bleichenbacher timing oracle attack); GHSA-5cpq-8wj7-hf2v (Vulnerable OpenSSL included in cryptography wheels) +7 more

High

Category: Supply Chain
Confidence: 88% confidence
Finding: cryptography

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal