Flights
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: flights-search Version: 1.2.0 The `SKILL.md` file contains a prerequisite installation instruction `curl -LsSf https://astral.sh/uv/install.sh | sh`. This command directly executes a remote script, which is a significant remote code execution (RCE) vulnerability. While the stated purpose is to install a legitimate tool (`uv`), an AI agent following this instruction without proper sandboxing or validation could be compromised if the remote script or its hosting domain were malicious. This constitutes a high-risk prompt injection vector against the agent, making the skill bundle suspicious rather than benign, despite the lack of explicit malicious intent within the provided files.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the setup may download and execute code from external package sources on the user's machine.
The skill relies on a remote installer and an unpinned external Python package. This is purpose-aligned for a CLI flight-search tool, but it is still a supply-chain point users should verify.
install with `curl -LsSf https://astral.sh/uv/install.sh | sh` ... `fast-flights` library is installed automatically on first run via `uvx` ... `pip install fast-flights`
Install tooling from trusted official sources, prefer an isolated virtual environment, and pin or verify dependency versions where possible.
The skill may fail to run as documented or may depend on code not present in the reviewed artifact set.
The provided manifest lists only SKILL.md and no code files, so the referenced helper script is not present in the supplied artifacts. This is a packaging/provenance inconsistency, not evidence of malicious behavior.
The `flights-search` CLI is bundled at `scripts/flights-search` in this skill directory.
Verify the installed package contents before running the referenced CLI script.
If used, the command executes local Python code and the fast-flights dependency with the user's travel-search arguments.
The skill directs use of a local Python command. This is expected for a CLI-based search skill and is shown as user-invoked usage rather than hidden or automatic execution.
`uvx --with fast-flights python3 scripts/flights-search <origin> <destination> <date> [options]`
Run the command only when intentionally using the skill, and inspect the referenced script if it is present in the installed package.