Skillv3.2.0

ClawScan security

pet-flights · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 27, 2026, 2:43 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (finding pet-friendly flights) aligns with its instructions, but runtime rules ask the agent to install a third‑party npm CLI globally, potentially run with sudo, and persist execution logs — behaviors that are out of band and deserve caution.
Guidance: This skill mostly does what it says — it relies on a command‑line tool (flyai) to fetch live pet‑friendly flight data — but it instructs the agent to install a third‑party npm package globally (and suggests sudo) and to write execution logs locally. Before installing or allowing the agent to run this skill: 1) Verify the npm package (@fly-ai/flyai-cli) provenance and inspect its code or the publisher's reputation; 2) Do not allow automatic global installs with sudo — prefer that you or an administrator install the CLI manually in a controlled environment; 3) Ask the skill author to clarify authentication (how flyai obtains booking access) and to remove or limit persistent logging of full user queries; 4) Be skeptical of the 'Powered by Fliggy' claim vs. the 'flyai' CLI — request clarification of data sources. If you cannot verify the CLI package or do not want agents to modify system state or persist sensitive queries, do not enable this skill or only use it after manual, sandboxed installation of the CLI.

Review Dimensions

Purpose & Capability: noteThe name/description match the instructions: the skill requires live data from a 'flyai' CLI to return pet‑friendly flight results. However the description also claims 'Powered by Fliggy (Alibaba Group)' while the implementation relies on a separate 'flyai' CLI — this inconsistency could be misleading about the data/source. No declared environment variables or config paths are required, which is consistent with an instruction-only CLI integration.
Instruction Scope: concernThe SKILL.md mandates installing and using an external CLI (@fly-ai/flyai-cli) and forbids answering from training data; it also instructs detailed logging of executions and a file write (.flyai-execution-log.json) 'if file system writes are available'. These runtime actions include network installs, execution of external binaries, and persistent local logging of user queries/commands — all beyond mere read-only query behavior and potentially capturing sensitive input.
Install Mechanism: concernAlthough the registry lists no install spec, the skill's mandatory Step 0 instructs 'npm i -g @fly-ai/flyai-cli' (and even 'sudo npm i -g' as a fallback). Installing a global npm package from the public registry executes remote code with local privileges and can modify system state; there is no guidance to verify package provenance, pinned version, or checksum. This is a moderate-to-high risk action for an agent to perform automatically.
Credentials: noteThe skill declares no required environment variables or credentials, which is proportionate on the face of it. However, the instructions assume the flyai CLI will provide booking/detailUrl data but do not explain authentication: if the CLI reads local credentials/config files or prompts for API keys, that access is not documented. Also the execution log schema stores raw 'user_query' and commands, which could capture sensitive user data; that persistence is not justified in the metadata.
Persistence & Privilege: concernThe skill is not 'always' enabled, but its runtime rules ask to (a) install a global CLI (possibly with sudo), and (b) append execution logs to a local file if writable. Both create or modify system state and may persist user queries. The combination (global install + suggested sudo + local logging) increases the blast radius and should be reviewed before allowing the agent to act.