Multi City Planner

Summary of issues and recommended next steps before installing or running: 1) Expect to need a flyai API key: the docs instruct configuring FLYAI_API_KEY for flyai-cli but the skill metadata doesn't declare it. If you plan to use live flight data, create an API key on the provider and verify how the scripts consume it. Ask the author to declare required env vars. 2) Inspect the executable scripts before running: plan.js uses child_process.execSync to run scripts under scripts/*. Those scripts may call flyai-cli or make network requests — review them for any hard-coded endpoints, credentials, telemetry, or filesystem access you don’t want shared. Run the code only after manual review or in a sandbox. 3) Note the documentation/code mismatch about hiding internal details: SKILL.md forbids showing skill name/script paths/tool calls, but plan.js prints which script it runs and some HTML files include the skill name/version. If you require strict non-disclosure of the tooling/runtime details, verify and remove those printouts/footers. 4) Run in an isolated environment first: use a sandbox/container or non-privileged account, and avoid running on machines with sensitive credentials. Monitor network traffic on first runs to see what external endpoints are contacted. 5) Ask for clarifications or fixes from the publisher: request the author update the skill metadata to list required env vars (e.g., FLYAI_API_KEY), remove contradictions between SKILL.md and code output, and provide a short security/privacy note describing what data is transmitted to external services. If you want, I can: (a) scan the scripts directory for network calls and suspicious filesystem access, (b) point out exact lines that print internal info, or (c) propose minimal changes to make the metadata and SKILL.md consistent with the code.

These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.