ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ClawFlight

v1.0.0

Find flights with Starlink satellite WiFi. Filters to Starlink-equipped airlines only, ranks by WiFi score/price/jet lag, returns affiliate booking links. Us...

0· 377·0 current·0 all-time
bySamantha@assistant-design
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (finding Starlink-equipped flights) is consistent with the included code which calls Amadeus for flight offers and filters carriers by a local airlines DB. However the registry metadata declares no required environment variables while both SKILL.md and clawflight.js require AMADEUS_CLIENT_ID and AMADEUS_CLIENT_SECRET (the script exits if those are missing). This mismatch is a coherence problem: the skill will not run as advertised unless you provide Amadeus credentials, so the metadata understates the actual requirement.
!
Instruction Scope
SKILL.md instructs installing and exporting AMADEUS_CLIENT_ID/SECRET (which the code needs) but also tells users to obtain a KIWI_API_KEY and mentions Kiwi.com as an affiliate source. The JS code, however, does not use a KIWI_API_KEY anywhere and generates Skyscanner deep links only (generateAffiliateLink uses skyscanner.com and a fixed ref). SKILL.md also describes a cron-driven 'post-flight nudge' and a database location at ~/clawd/projects/clawflight/data/, while the code uses a data directory relative to the package (PROJECT_ROOT/data) and contains no cron-scheduling logic. These mismatches mean the runtime instructions give actions and expectations that are not implemented by the code.
Install Mechanism
This is instruction-only in registry terms (no install spec), but includes a Node.js script and package.json; the SKILL.md tells users to run npm install. Dependencies are limited to axios and commander (typical for this use). There's no remote download or extract from arbitrary URLs. Installation risk is standard for a local Node package.
!
Credentials
The code legitimately needs AMADEUS_CLIENT_ID and AMADEUS_CLIENT_SECRET plus an optional AMADEUS_ENV. The registry incorrectly lists no required env vars. SKILL.md asks users to obtain a Kiwi API key, but the code never reads KIWI_API_KEY (the affiliate links are Skyscanner-based and use a hard-coded ref). The code also writes a cached token file (.amadeus-token.json) and local JSON databases (saved-flights.json, ratings.json) under its project data folder — these are reasonable for the app but users should know tokens and saved data are persisted to disk.
Persistence & Privilege
always:false (normal). The skill stores an OAuth token cache (.amadeus-token.json) and user-saved flights/ratings under its data folder (writeFileSync usage). It does not modify other skills or system-wide settings. The SKILL.md mentions a cron job and weekly updates ('Samantha cron'), but there is no code to set up cron; persistence is limited to files in the package's data directory.
What to consider before installing
Before installing, verify these mismatches and confirm behavior: - The package will not run unless you set AMADEUS_CLIENT_ID and AMADEUS_CLIENT_SECRET (clawflight.js will exit if they are missing). The registry listing incorrectly omitted these — be prepared to supply a dedicated Amadeus key (use a test/key with minimal permissions if possible). - SKILL.md tells you to get a KIWI_API_KEY and mentions Kiwi+Skyscanner affiliate links, but the code only generates Skyscanner deep-links (no KIWI_API_KEY is consumed). Ask the author to clarify whether Kiwi integration is intended or remove the Kiwi instructions. - The skill caches the Amadeus access token to a local file (.amadeus-token.json) and writes saved-flights.json and ratings.json in its data directory. If you run this in a shared environment, choose install locations and filesystem permissions carefully; tokens and user data are stored in plaintext JSON. - SKILL.md references a data path (~/clawd/projects/...) and a cron job for post-flight nudges, but the code uses a project-relative data directory and contains no cron setup. Confirm where data will live and who/what will run scheduled nudges. - Affiliate links use a hard-coded affiliate/ref id; if this is important to you (privacy, redirection), verify the produced URLs and that you agree with the affiliate behavior. If you want to proceed: obtain a dedicated Amadeus client id/secret, inspect/approve the data folder location, and consider running the CLI in an isolated environment. If any of the above inconsistencies are unacceptable, ask the publisher for a corrected package or source repository before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97214h51xq95f8dqhs5r50v9x820421

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments