Skillv3.2.0

ClawScan security

lunar-new-year-flight · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 24, 2026, 7:38 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is instruction-only and mostly coherent for running a flight-search CLI, but has notable inconsistencies (claims Fliggy / Alibaba branding while the runtime demands an unrelated @fly-ai CLI), asks you to install a global npm package at runtime without describing authentication or provenance, and includes rigid execution rules that could cause repeated install/execute loops — proceed with caution.
Guidance: Key things to check before installing or using this skill: - Brand mismatch: the description mentions Fliggy (Alibaba) but the runtime uses a CLI called "flyai" (@fly-ai/flyai-cli). Ask the publisher which service is actually being queried and why the branding differs. - npm install risk: the skill tells the agent to run npm i -g @fly-ai/flyai-cli at runtime. Only proceed if you trust the @fly-ai package. Inspect the package on the npm registry (maintainer, README, code) before installing, and avoid installing globally on a production or privileged host (use a sandbox or container). - Authentication ambiguity: the skill never documents how the CLI authenticates to booking providers. Confirm whether the CLI requires login, API keys, or stores tokens locally; don’t provide credentials until you understand where they are stored and who controls them. - Execution behavior: the skill enforces strict rules (must use CLI, must include [Book](detailUrl) links, must re-execute on failure) — this can force repeated installs/executions. Consider limiting retries or running the CLI manually once to validate output. - If you lack a way to safely inspect the npm package, consider not installing this skill. If you proceed, run the CLI in an isolated environment (VM, container) first to confirm behavior and to verify that search results and booking links are legitimate and do not redirect to unexpected endpoints.

Review Dimensions

Purpose & Capability: concernThe skill's stated description says it's "powered by Fliggy (Alibaba Group)" and promises Fliggy-brand flight/hotel functionality, yet every runtime instruction uses a third-party CLI named "flyai" (npm package @fly-ai/flyai-cli) and repeatedly brands outputs "Powered by flyai." This brand mismatch is unexplained and inconsistent with the stated source. Otherwise, requiring a CLI to query live flight data is plausible for a booking skill.
Instruction Scope: concernSKILL.md tightly constrains behavior: it forbids using training data and mandates all answers come from the flyai CLI; it instructs installing the CLI (npm i -g @fly-ai/flyai-cli) if missing and to abort if install still fails. This is reasonable for a CLI-backed skill, but the instructions do not address authentication (how the CLI gets access to booking APIs) and include a strict self-test that forces re-execution if booking links are absent — raising the risk of repeated install/execute loops or degraded UX. The skill does not instruct reading unrelated files or exfiltrating secrets, but it gives the agent broad procedural freedom to install and run global commands.
Install Mechanism: noteThere is no declared install spec in metadata, but the runtime instructions explicitly instruct installing a global npm package (npm i -g @fly-ai/flyai-cli) from the public npm registry. Installing a public npm package is a typical way to get a CLI, but doing so at runtime and globally modifies the host environment and relies on an external package whose provenance isn't documented. This is moderate risk compared to a vetted release host; verify the package and avoid installing as root or on a sensitive system.
Credentials: noteThe skill declares no required environment variables or credentials, which is consistent with the metadata. However, the instructions do not explain how authentication (if needed) to the booking service is handled — no login, API key, or token steps are documented. That omission is an incoherence: many booking CLIs require credentials or user accounts; absence of any auth guidance could mean the CLI uses an external service or expects local/global config, which should be clarified before trusting it.
Persistence & Privilege: okThe skill does not request always-on presence (always: false), nor does it declare any config paths or system-wide changes beyond the recommended global npm install. It does not request environment credentials or attempt to modify other skills' configs. Autonomous invocation is allowed by default (disable-model-invocation: false), which is expected for skills and not itself a disqualifier.