Skillv3.2.0

ClawScan security

airport-hotel · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 24, 2026, 6:20 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions mostly match a flight/hotel booking workflow, but provenance and install instructions are inconsistent and warrant caution (it asks the agent to install and run a third‑party npm CLI while claiming a different service as the backend).
Guidance: This skill behaves like a wrapper around a third‑party CLI (flyai) and requires installing a global npm package at runtime; the publisher and homepage are missing and the manifest also claims it’s “powered by Fliggy,” which doesn’t match the CLI name. Before installing or enabling this skill: 1) Verify the @fly-ai/flyai-cli package on npmjs.com (publisher, downloads, code) and confirm it’s trustworthy; 2) confirm whether the service actually integrates with Fliggy or another provider and ask the skill author for a homepage/source link; 3) be aware that installing a global npm package gives code execution capability on the host (requires Node.js and may require elevated permissions); 4) if you can’t verify the CLI, avoid granting the agent the ability to run installs or execute shell commands, or require manual review/installation of the CLI yourself. If you want higher assurance, ask the author for a signed release URL, repository link, or corporate affiliation that matches the claim of Fliggy/AliBaba.

Review Dimensions

Purpose & Capability: concernThe skill claims to be “powered by Fliggy (Alibaba Group)” but all runtime actions target a third‑party CLI named @fly-ai/flyai-cli (flyai). There is no homepage or source URL to verify the provider. Requesting a CLI to perform searches is plausible for a booking skill, but the mismatch in vendor attribution and lack of provenance is unexplained.
Instruction Scope: concernThe SKILL.md requires the agent to run the flyai CLI for every response and mandates installing a global npm package if the CLI is missing. It forbids answering from training data and forces re-execution until every result contains a booking link. While running a provider CLI is consistent with the skill's purpose, the instructions give the agent capacity to install and execute third‑party code at runtime and provide no fallback except aborting; that broadens the runtime authority beyond simple query formatting.
Install Mechanism: concernThere is no formal install spec, but the runtime instructions instruct: `npm i -g @fly-ai/flyai-cli`. Installing a global npm package at runtime is a moderate risk — it downloads and executes code from the npm registry. The manifest provides no publisher verification, no checksum, and no official upstream URL; this increases risk because the package provenance is unverified.
Credentials: okThe skill does not request environment variables, secrets, or config paths. All required inputs are user-provided parameters (origin, destination, dates, filters), which are proportionate to the stated purpose.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated platform privileges or system-wide configuration changes. It does direct the agent to perform installs at runtime, but it does not claim persistent control over other skills or global agent settings.