medical-tourism
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly a coherent flight-search helper, but it tells the agent to install an unpinned global npm CLI at runtime, which can modify the user’s environment.
Review the npm install step before using this skill. If you proceed, approve the flyai CLI installation only if you trust the package source, and avoid sharing unnecessary medical or personal details beyond route and date information.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing a global npm package can run third-party package code and leave a persistent command on the user’s system.
The skill directs the agent to install an external npm package globally at runtime. The package is unpinned and this installation is not represented in the install spec or required-binary metadata.
If flyai-cli is not installed, install it first... npm i -g @fly-ai/flyai-cli
Require explicit user approval before installation, pin and document the package version, declare the required binary/install step in metadata, and prefer a scoped or sandboxed execution method where possible.
The agent may run unsupported or unintended CLI flags, causing unreliable results or confusing failures.
The skill says the listed parameter table is authoritative, but later playbooks use parameters not listed there. This is not clearly malicious, but it weakens the stated command boundary.
NEVER invent CLI parameters. Only use parameters listed in the Parameters Table... flyai search-flight ... --journey-type 1 --sort-type 2
Align the parameter table with every referenced command and avoid using undocumented flags unless they are explicitly declared.
Origin, destination, travel dates, and medical-tourism context may be shared with the travel provider when searches are performed.
The skill sends travel-search parameters to a third-party/provider CLI. This is purpose-aligned, but medical-tourism routing and dates can reveal sensitive intent.
powered by Fliggy (Alibaba Group)... flyai search-flight --origin "{{o}}" --destination "{{d}}" --dep-date {{date}}Share only the minimum travel details needed for a search and avoid entering diagnoses, treatment details, medical records, or other unnecessary health information.