afternoon-flight
ReviewAudited by ClawScan on May 10, 2026.
Overview
This flight-search skill is mostly purpose-aligned, but it tells the agent to automatically install an unpinned global npm CLI, which changes the user’s environment and creates supply-chain risk.
Review this skill before installing. Its flight-search workflow is understandable, but do not allow automatic global npm installation unless you trust the @fly-ai/flyai-cli package source and are comfortable with a persistent system-level CLI dependency.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A normal flight-search request could cause the agent to install third-party software globally on the user’s machine before returning results.
The skill is listed as instruction-only with no install spec, but its mandatory workflow installs an unpinned global npm package at runtime. Global npm installs can modify the local environment and may run package lifecycle code.
If flyai-cli is not installed, install it first... npm i -g @fly-ai/flyai-cli
Require explicit user approval before installation, pin the package/version, document the dependency in the install spec, and prefer a local or sandboxed install path.
The agent may run CLI options or commands that are not clearly within the main parameter contract, causing unexpected failures or broader provider queries.
The instructions restrict the agent to listed parameters, but the playbook uses an unlisted flag. Other reference files also mention additional flags and a keyword-search command, making the tool boundary less clear.
NEVER invent CLI parameters. Only use parameters listed in the Parameters Table below... flyai search-flight ... --journey-type 1 --sort-type 2
Make the allowed command and parameter list consistent across all files, and validate user-supplied values before constructing shell commands.