FlyClaw (Flight N-in-1 Search Zero Login)
PassAudited by ClawScan on May 1, 2026.
Overview
FlyClaw appears to be a coherent flight-search tool, but users should notice its external data-provider calls, built-in service credential defaults, local route cache, and ambiguous purchase capability signal.
Before installing, confirm you only want flight search and price aggregation, not booking or payment. Be comfortable with route/date/cabin search details going to the listed providers, consider pinning dependencies in an isolated Python environment, and clear the local route cache if travel lookups are sensitive.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your flight search details such as route, date, cabin, and passenger counts may be sent to listed data providers even though no login or personal account is required.
The skill necessarily queries external flight data sources, so the 'All data stays local' privacy wording is broader than the actual external-provider workflow.
Multi-source aggregation via open-source libraries and free public APIs ... All data stays local — no personal data collected or stored.
Use the skill only if you are comfortable with travel-search queries being sent to the named providers; avoid entering unnecessary personal details.
Requests to that provider may be made using bundled/default service credentials rather than a user-supplied credential.
The Fliggy source can use built-in service credentials even though the skill advertises zero user API-key setup.
api_key: "" # Leave empty to use built-in default key ... sign_secret: "" # Leave empty to use built-in default secret
If your policy prohibits bundled third-party credentials, disable that source or configure approved credentials before use.
A user might mistakenly treat the skill as safe for purchase actions even though no purchase approval flow is documented.
The metadata includes a purchase-related capability signal, while the visible skill documentation describes search and price lookup rather than completing purchases.
Capability signals - crypto - can-make-purchases
Use it for flight information only; do not authorize booking or payment actions through this skill unless a separate, clearly scoped purchase flow is reviewed.
Local cache files may reveal recent flight numbers or route lookups to someone with access to the skill directory.
The tool persists route lookup data locally so it can reuse flight-number route information later.
Maintains a mapping of flight_number → {origin, destination, last_seen} ... Cache file: cache/flight_routes.jsonClear the cache directory if route searches are sensitive or if you share the machine.
Future dependency versions could change behavior or introduce vulnerabilities, which is a normal but real package supply-chain consideration.
Dependencies are installed from package indexes with lower-bound constraints and no lockfile shown.
requests>=2.28.0 pyyaml>=6.0 curl_cffi>=0.5.0 flights>=0.7.0 cryptography>=42.0.0
Install in an isolated environment and pin or review dependency versions if you need reproducible or policy-controlled deployments.