airport-hotel
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly a travel-search wrapper, but it tells the agent to automatically install an unpinned global npm CLI package before use, which changes the user environment without a clear install-time approval boundary.
Review before installing. If you use this skill, do not allow unattended npm installation; approve the flyai CLI install only if you trust the package source, preferably with a pinned version or in a sandboxed environment.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing a global npm package can run package installation scripts and leave new executable code on the user's system.
The skill directs the agent to install an external, unpinned npm package globally at runtime. That package is not included in the artifact set and the registry metadata declares no install spec or required binary.
If flyai-cli is not installed, install it first... npm i -g @fly-ai/flyai-cli
Require explicit user approval before installation, pin the package version, declare the required binary/install step in metadata, and prefer a scoped or sandboxed install where possible.
A normal travel query could cause the agent to modify the local system by installing and later running third-party code.
This is an install-to-run flow that tells the agent to execute a local package installation automatically when the CLI is absent, rather than presenting it as a user-approved setup step.
Step 0: Environment Check (mandatory, never skip) ... FAIL: `command not found` -> `npm i -g @fly-ai/flyai-cli`
Change the workflow to ask the user before installing or executing new local tools, and make the install optional and transparent.
The agent may run travel-search commands or flags beyond the narrow parameter table, which could cause errors or unexpected provider queries.
The skill says only listed parameters may be used, but later examples and reference files use additional flags and commands, making the intended CLI scope unclear.
NEVER invent CLI parameters. Only use parameters listed in the Parameters Table below... flyai search-flight ... --journey-type 1
Align the parameter table with all documented playbooks and clearly list every allowed command and flag.