飞伙
PassAudited by ClawScan on May 15, 2026.
Overview
This skill coherently documents a flight/hotel search CLI, but users should trust the external npm package and protect the API key it stores locally.
Before installing, verify that feihuo-cli is the package you intend to trust, then configure only a limited API key and keep ~/.config/feihuo/config.json private. The provided skill text does not show hidden execution, data exfiltration, or destructive behavior.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the CLI may run code from the npm package and gives that package local execution ability under the user's account.
The skill instructs installation of an external global npm package without a pinned version or included source for review. This is expected for a CLI-based skill, but users must trust the npm package.
安装 CLI:`npm install -g feihuo-cli`
Verify the npm package source and publisher before installing, consider pinning a known version, and use an isolated environment if possible.
Anyone or any process that can read the config file or control the CLI may be able to use the configured feihuo API key.
The skill requires a service API key, stores it in a local config file, and uses it as a bearer token for requests. This is disclosed and purpose-aligned, but it is credential handling.
配置 API Key:`feihuo config set api-key xxxxxx` ... `~/.config/feihuo/config.json` ... `Authorization: Bearer <api-key>`
Use a limited and revocable API key, keep the config file private, avoid sharing the key in chat logs, and rotate the key if exposure is suspected.