Skillv3.2.0

ClawScan security

medical-tourism · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 24, 2026, 7:38 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill claims to be a booking helper but its instructions require installing and running an external npm CLI at runtime (and it declares no install or source), a mismatch that is proportionately risky and worth close review before installing.
Guidance: This skill is suspicious because its SKILL.md directs the agent to install and run a third-party npm CLI at runtime even though the package source and required binary are not declared in the registry. Before installing or enabling it: 1) Verify the upstream package (@fly-ai/flyai-cli) on npm/js.org and inspect its homepage and code; confirm it is the official client for the claimed service (Fliggy/Alibaba). 2) Don't install globally on a production machine — test in an isolated sandbox or VM first. 3) Ask the skill author for a homepage, source repository, and details on how authentication and booking are handled (does the CLI prompt for credentials, store tokens, or require API keys?). 4) If you cannot verify the npm package and its publisher, decline or restrict the skill; installing arbitrary npm packages globally can run arbitrary code and persist on your system. 5) If you proceed, monitor network activity and filesystem changes and avoid providing sensitive credentials until you confirm the integration flow. Additional info (package homepage, code link, or publisher identity) would raise confidence and could change this assessment.

Review Dimensions

Purpose & Capability: concernThe skill advertises flight/hotel/medical-tourism booking (claims 'Powered by Fliggy / Alibaba') but the runtime instructions rely on an external CLI (@fly-ai/flyai-cli) that is not declared in the registry metadata (no required binaries, no homepage or source). That mismatch (undeclared required binary + unknown upstream) is incoherent: a booking helper legitimately needs a booking API/CLI, but the registry should have declared that dependency and a trustworthy source.
Instruction Scope: concernSKILL.md instructs the agent to install (npm i -g @fly-ai/flyai-cli) and run flyai commands, to never answer from training data, and to re-run until every result contains a specific booking link. Those runtime actions cause network calls and global package installation and they assume the CLI will produce booking links and handle any auth — but the instructions do not specify where credentials come from or how authentication is performed. The skill also enforces strict rules (never use training data, always use CLI) that could cause the agent to attempt to install/run arbitrary code rather than gracefully degrade.
Install Mechanism: concernThere is no declared install spec in the registry, yet the skill explicitly instructs installing a global npm package at runtime. Installing an arbitrary npm package globally can execute code on the host and persists on disk; the npm package (@fly-ai/flyai-cli) has no homepage/source listed in the skill metadata for verification. This is higher-risk than instruction-only behaviors that do not modify the host.
Credentials: noteThe skill declares no required environment variables or credentials, which is unusual for a booking/booking-API integration (most booking flows require API keys, accounts, or OAuth). The absence of declared credentials may be explainable if the CLI handles auth interactively or via its own config, but that is not documented in SKILL.md — an information gap that reduces confidence and could hide exfiltration or unexpected auth flows.
Persistence & Privilege: concernAlthough the skill is not marked 'always', its runtime instructions install a global CLI (npm i -g), which creates persistent binaries on the host and can increase blast radius. The registry metadata did not surface this persistent install, so the skill effectively gains persisted presence without explicit declaration.