Flight Tracker
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill cannot function without an AviationStack API key, and that key is used to make requests to AviationStack.
The script requires an AviationStack API key and sends it to the provider as part of the flight lookup. This is expected for the stated integration, but users should recognize that a third-party API credential is involved.
api_key = os.environ.get('AVIATIONSTACK_API_KEY') ... params = { 'access_key': api_key, 'flight_iata': flight_number.upper() }Use a limited-purpose AviationStack key, monitor usage, and revoke or rotate the key if it is no longer needed.
Network intermediaries may be able to observe the API key and flight lookup when using the HTTP-only free tier.
The documentation discloses that the free tier does not use HTTPS, and the script confirms use of an HTTP AviationStack endpoint. This means the API key and flight query are not protected by transport encryption on the free tier.
Uses AviationStack free tier (no HTTPS on free plan)
Prefer an HTTPS-capable plan or avoid using sensitive/reused credentials; treat the AviationStack key as exposed if used over untrusted networks.
Setup may require manual package installation, and users rely on their local Python package source configuration.
The skill asks the user to install an external Python package manually, while the registry requirements do not declare required binaries or dependencies. This is a normal dependency for the script, but it is under-declared in the install metadata.
pip3 install requests
Install dependencies from a trusted package index and consider pinning package versions in a requirements file for more reproducible setup.
Anyone or anything with access to the shell profile may be able to read the AviationStack API key.
The setup guide optionally instructs users to persist the API key in a shell profile. This is disclosed and user-directed, but it stores the credential in a local plaintext configuration file.
echo "export AVIATIONSTACK_API_KEY='your-api-key-here'" >> ~/.zshrc
Only make the key permanent on trusted machines, and remove it from shell profiles when no longer needed.