luggage-shipping
AdvisoryAudited by VirusTotal on Apr 24, 2026.
Overview
Type: OpenClaw Skill Name: luggage-shipping Version: 3.2.0 The skill mandates the global installation of an external NPM package (@fly-ai/flyai-cli) and forces the agent to execute system-level CLI commands while strictly forbidding the use of its own knowledge base. This requirement for global software installation and the use of 'CRITICAL EXECUTION RULES' to override agent defaults poses a significant supply chain risk and potential for unauthorized system modification, although no explicit evidence of intentional malice (like data exfiltration) is present in the provided files. Primary files: SKILL.md and references/fallbacks.md.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could install and execute a changing third-party CLI package on your machine as part of a travel search.
The skill is otherwise instruction-only and has no install spec, but it directs the agent to install an unpinned global npm package before use. Global npm installs can persist executable code in the user's environment, and the artifacts do not provide version pinning or explicit approval guidance.
If flyai-cli is not installed, install it first... npm i -g @fly-ai/flyai-cli
Only proceed if you trust the flyai CLI source. Prefer manually reviewing/installing a pinned version, and require explicit approval before any global npm install.
The agent may run slightly different flyai commands than the main parameter table suggests, which could cause failed or unexpected searches.
The skill tries to constrain CLI usage, but one of its own playbooks uses a flag not listed in the main parameter table, making the intended tool boundary less clear.
NEVER invent CLI parameters. Only use parameters listed... flyai search-flight --origin "{{o}}" --destination "{{d}}" --dep-date {{date}} --journey-type 1 --sort-type 2Confirm the intended route, date, and options before execution, and have the maintainer align the parameter table with all documented playbooks.
Your travel search details may be shared with the external travel provider to return live results and booking links.
The workflow depends on an external flyai/Fliggy provider for live travel results, so travel search details such as origin, destination, dates, and budget may be sent through that CLI.
powered by Fliggy (Alibaba Group)... Every piece of data MUST come from `flyai` CLI output.
Avoid entering unnecessary personal information, and review the provider/CLI privacy terms before using it for sensitive travel plans.