ClawFlight
PassAudited by ClawScan on May 10, 2026.
Overview
ClawFlight appears purpose-aligned for flight search, but users should notice it uses Amadeus API credentials, stores a local token, references missing data files, and mentions scheduled nudges.
Before installing, verify the missing data files, use a dedicated Amadeus API key, keep the local data directory private, and check whether any cron nudge is actually installed. The artifacts reviewed do not show credential theft, hidden exfiltration, or destructive behavior.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Amadeus API credentials will be used by the skill to request flight data.
The skill uses provider credentials from environment variables; this is expected for Amadeus flight search, but it is sensitive access and is under-declared by the registry metadata.
const AMADEUS_CLIENT_ID = process.env.AMADEUS_CLIENT_ID; const AMADEUS_CLIENT_SECRET = process.env.AMADEUS_CLIENT_SECRET;
Use a dedicated Amadeus app/key, prefer the test environment unless you need production data, and remove or rotate the key if you stop using the skill.
A local access token file may allow Amadeus API use until it expires if another local process can read it.
The code caches the Amadeus access token locally under the project data directory. This is normal API plumbing, but the token file should be protected.
const TOKEN_CACHE_FILE = join(PROJECT_ROOT, 'data', '.amadeus-token.json'); ... writeFileSync(TOKEN_CACHE_FILE, JSON.stringify(token));
Keep the project data directory private and delete data/.amadeus-token.json if you uninstall or suspect exposure.
The skill may fail at runtime or rely on local data files that were not included in this review.
SKILL.md and the code reference data/airlines.json, data/saved-flights.json, and data/ratings.json, but those files are not present in the supplied manifest.
4 file(s): SKILL.md; clawflight.js; package-lock.json; package.json
Verify the missing data files and their contents before relying on the skill's Starlink airline database or saved-flight features.
Saved itineraries or ratings may remain on disk after use.
The skill is designed to persist user flight selections and ratings. This is purpose-aligned for post-flight nudges and ratings, but travel history can be sensitive.
data/ ├── saved-flights.json # User-saved flights └── ratings.json # Community WiFi ratings
Review and delete saved-flights.json or ratings.json if you do not want travel details retained locally.
If enabled, the skill may continue prompting after the original flight-search task.
The documentation describes scheduled background behavior. It is disclosed and limited to a rating nudge, but the supplied install artifacts do not show how the cron job is created or disabled.
A cron job will nudge you 6 hours after arrival to rate the WiFi.
Confirm whether any cron entry is actually installed, how to disable it, and whether it only reads this skill's saved-flight data.
Booking links may generate commission for the skill operator.
The skill discloses monetized booking links. This is not hidden, but it may affect user trust in recommendations.
Affiliate links — direct booking links ... Affiliate ID: `clawflight`
Compare prices independently if affiliate incentives matter to you.