Skillv3.2.0

ClawScan security

marathon-trip · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 24, 2026, 7:38 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions are coherent for a CLI-driven flight-booking helper, but there are unexplained mismatches (undeclared runtime dependencies, an npm global install invoked only in SKILL.md, and an unclear provider attribution), so proceed with caution and verify the external package before installing.
Guidance: This skill appears to be a CLI-driven flight-booking helper that expects to call a third-party tool (flyai). Before installing or enabling it: 1) Verify the provenance of the @fly-ai/flyai-cli npm package (check npmjs.org, read package source, maintainer, and recent releases); 2) Confirm the claimed provider — the SKILL.md mentions Fliggy (Alibaba) but the CLI is named 'flyai' (this mismatch could be harmless or indicate an impersonation); 3) Be cautious about running 'npm i -g' globally — consider testing in a sandbox or container, since npm packages can run code at install and runtime; 4) If you require guarantees, ask the skill author for a homepage, code repository, or signed release; 5) If you decide to proceed, monitor the network requests and package behavior (and avoid giving unrelated credentials). If the author cannot clarify the Node/npm dependency or provider relationship, treat the skill as untrusted.

Review Dimensions

Purpose & Capability: concernThe skill claims to book flights/hotels/etc. and its runtime instructions rely entirely on a third-party CLI (flyai). However the skill manifest declares no required binaries or credentials while the instructions require Node/npm and a global npm package (@fly-ai/flyai-cli). This mismatch (manifest says 'none' but SKILL.md instructs installing tooling) is an incoherence that should be resolved. Also the description says 'powered by Fliggy (Alibaba Group)' while the CLI is named 'flyai'—the provider relationship is unclear.
Instruction Scope: okThe SKILL.md stays within the travel-booking domain: it mandates using the flyai CLI, defines exact commands and parameters, forbids using training data, and requires results to include booking links. It does not instruct reading unrelated files, accessing arbitrary environment variables, or exfiltrating data. The strict 'must use CLI' rules limit scope, but the self-test and re-execution loop give the agent broad autonomy to repeatedly call the CLI.
Install Mechanism: concernThere is no registry install spec, but SKILL.md directly tells the agent to run 'npm i -g @fly-ai/flyai-cli' when flyai isn't present. Installing a global npm package on the fly is a moderate risk: npm packages can execute arbitrary code at install/run time. The skill does not declare this install action in its manifest and provides no canonical source, homepage, or checksum for verification.
Credentials: okThe skill requests no environment variables, credentials, or config paths in the registry metadata. The actual instructions likewise do not request access to secrets or unrelated credentials. This access level is proportionate to the stated purpose.
Persistence & Privilege: okalways is false and the skill is user-invocable with normal autonomous invocation allowed. The skill does not ask to modify other skills or system settings. The main persistence concern is the optional global npm install (which would write to system/global npm modules), but that is not an automatic registry install flag—it's an instruction the agent may follow.