ClawHub

Flight Search

v0.1.7

Search Google Flights for prices, times, and airlines. No API key required.

6· 5.4k·43 current·46 all-time
byAaron Levin@awlevin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (search Google Flights) match the code and declared dependency (fast-flights). The SKILL.md, CLI, and search module all implement scraping/search behavior. The requirement for the 'uvx' binary (and the pip install of package 'uv' which provides uvx) is consistent with the tool's documented quick-start: uvx allows running the tool without global install. No unrelated cloud credentials, system config paths, or unrelated binaries are requested.
Instruction Scope
SKILL.md and README instruct running the CLI or installing via uv/pip/pipx; runtime CLI code only reads CLI args, validates dates, calls the fast_flights library, and formats output. There are no instructions to read arbitrary files, environment secrets, or to exfiltrate data. The CLI uses subprocess.run to detect installers and to perform upgrades; those calls use fixed argument lists (no shell interpolation of user input).
Install Mechanism
The skill's install spec is a pip entry that installs the 'uv' package to provide the 'uvx' binary — this is an indirect but explainable dependency. The repository README also promotes a curl | bash one-liner that fetches install.sh from the project's GitHub (raw.githubusercontent.com). Download-and-pipe installs from a well-known host (GitHub) are common but higher risk than using pip/pipx/uv directly; prefer package manager installs over piping remote scripts into a shell.
Credentials
The skill declares no required environment variables or credentials and the code does not access environment secrets or unrelated config paths. All external access is via the fast-flights scraping library and normal network access performed by that dependency. No extra credentials are requested.
Persistence & Privilege
The skill does not request permanent/force-installed privileges (always is false). It does not modify other skills' configs or system-wide agent settings. It can be invoked autonomously (platform default), which is expected for a user-invocable skill; this is not combined with other concerning factors.
Assessment
This package is internally consistent for a Google Flights scraper CLI: it depends on the fast-flights library for scraping, expects the uv/uvx runner (or pip/pipx) and includes safe-looking code that only parses arguments and calls the scraper. Before installing, consider: (1) the tool performs web scraping against Google Flights (no API key) so network requests will be made and Google may block/limit requests; (2) prefer installing via pip/pipx/uv rather than the README's curl | bash one-liner (curl targets GitHub raw content — inspect install.sh before piping into a shell); (3) upgrades invoke pip/pipx/uv, which require network access; and (4) run this in an environment where making outbound HTTP requests is acceptable. If you need extra assurance, inspect the fast-flights dependency and run the tests locally in a sandboxed environment first.

Like a lobster shell, security has layers — review code before you run it.

latestvk971rgshqa6kabyk2aj96wdfws80n7xy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

✈️ Clawdis
Binsuvx

Comments