Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Flight Tracker
v1.0.0Track flights in real-time with detailed status, gate info, delays, and live position. Use when user asks to track a flight, check flight status, look up flight information by flight number (e.g., "track AA100", "what's the status of United 2402", "check my flight BA123"), or wants to display flight data in a formatted view similar to Flighty app.
⭐ 0· 1.9k·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, SKILL.md, and the included Python script all align: the skill queries AviationStack for flight data and formats it. However, the published registry metadata lists no required environment variables while the runtime instructions and script clearly require AVIATIONSTACK_API_KEY — this mismatch is an incoherence that should be corrected or explained by the publisher.
Instruction Scope
Runtime instructions are narrowly scoped to extracting a flight number, calling the AviationStack API, and formatting results. The script only references the AviationStack endpoint and does not access other system files or credentials. Note: SKILL.md and the code explicitly document that the free AviationStack tier is HTTP-only (unencrypted), which is a privacy/security consideration for API key and flight queries.
Install Mechanism
There is no install spec (instruction-only skill plus a script), which limits disk persistence risk. The SKILL.md and script require the Python 'requests' package to be installed (pip3 install requests) — this dependency is reasonable but not declared in registry metadata. No downloads from unknown URLs or archive extraction are present.
Credentials
The only runtime secret required is AVIATIONSTACK_API_KEY, which is proportionate to the stated purpose. However, the skill metadata does not declare this required environment variable (registry shows 'Required env vars: none'), creating an inconsistency that could mislead users into installing without supplying the key. Additionally, because the free tier uses HTTP, the API key would be transmitted in cleartext unless the user upgrades to a paid (HTTPS) tier or uses a different API.
Persistence & Privilege
The skill does not request elevated or persistent platform privileges (always:false). It does not modify other skills or system-wide settings. It is user-invocable and can be called autonomously by the agent (default), which is expected for skills.
What to consider before installing
This skill's code matches its description and only needs an AviationStack API key, but the registry metadata omits that required env var — ask the publisher to fix the metadata. Before installing: (1) review the script yourself (it is small and readable); (2) be aware the free AviationStack tier uses HTTP (your API key and queries may be sent unencrypted) — consider a paid tier or alternative API that supports HTTPS; (3) only set AVIATIONSTACK_API_KEY in environments you trust (avoid exposing it in shared or public shells); (4) install the 'requests' Python package in an isolated environment (venv) rather than system-wide; and (5) prefer skills with a known source/homepage or contact the owner if you need provenance assurance.Like a lobster shell, security has layers — review code before you run it.
latestvk97as1rhay9n1ffz7kd0rxx5md7zwm1v
License
MIT-0
Free to use, modify, and redistribute. No attribution required.