ClawHub

Flight Tracker

PassAudited by VirusTotal on May 12, 2026.

Overview

Type: OpenClaw Skill Name: copey-flight-tracker Version: 1.0.0 The skill's core functionality is benign, tracking flights using the AviationStack API as described. However, the `scripts/track_flight.py` script makes API calls over unencrypted HTTP (`http://api.aviationstack.com`) to `aviationstack.com`, transmitting the `AVIATIONSTACK_API_KEY` in plain text. While this limitation of the free API tier is disclosed in `SKILL.md` and `references/api-setup.md`, sending an API key (a credential) over an unencrypted channel is a significant security risk, making the skill suspicious due to potential credential interception.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence
ASI03: Identity and Privilege Abuse
What this means

Anyone installing the skill must provide an AviationStack API key; on the free tier, the key is sent over HTTP, which can expose it to network observers.

Why it was flagged

The script reads a provider API key from the environment and sends it to AviationStack as the access key. This is expected for the flight-tracking purpose, but users should know it is a credential and the endpoint is HTTP.

Skill content
api_key = os.environ.get('AVIATIONSTACK_API_KEY') ... base_url = "http://api.aviationstack.com/v1/flights" ... 'access_key': api_key
Recommendation

Use a low-privilege/free AviationStack key where possible, avoid reusing sensitive credentials, and prefer a paid HTTPS-enabled plan if credential confidentiality matters.

NoteHigh Confidence
ASI04: Agentic Supply Chain Vulnerabilities
What this means

Installing an unpinned package can pick up whatever current version is available from the package index.

Why it was flagged

The skill relies on an external Python package installed by the user, but the dependency is not pinned or represented in an install specification. This is common and purpose-aligned, but users should install from a trusted Python environment.

Skill content
Install dependencies:
```bash
pip3 install requests
```
Recommendation

Install `requests` from the official Python package index in a trusted environment, or pin a known-good version if reproducibility is important.