airport-lounge
ReviewAudited by ClawScan on May 10, 2026.
Overview
The travel-search purpose is coherent, but the skill can make the agent install and run an unpinned global npm CLI without an install spec or explicit user approval.
Review carefully before installing. The flight-search function itself is coherent, but you should not let the agent run `npm i -g @fly-ai/flyai-cli` unless you trust that npm package and are comfortable with a global install. Prefer approving installation manually, checking the package source/version, and sharing only the travel details needed for the search.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing an unreviewed global npm package can run third-party code on the user's machine and change the local environment before any travel result is shown.
The skill is presented as instruction-only with no install spec, but it directs installation of an unpinned external npm package at runtime.
If flyai-cli is not installed, install it first... npm i -g @fly-ai/flyai-cli
Declare the CLI as an explicit dependency, pin the package/version, document its source, and require clear user confirmation before installation.
The agent may modify the user's system or execute newly downloaded code without a separate approval step.
The skill makes local command execution and package installation mandatory, and the install can execute npm lifecycle scripts or place executables globally.
Step 0: Environment Check (mandatory, never skip)... flyai --version ... FAIL: command not found -> npm i -g @fly-ai/flyai-cli
Ask the user before running installation commands, prefer a local sandboxed install, and avoid mandatory execution of downloaded code from within the skill instructions.
Travel search details may be sent to the external provider as part of normal operation.
The skill routes travel searches through the flyai/Fliggy provider, so origin, destination, dates, and preferences are expected to leave the local agent context.
powered by Fliggy (Alibaba Group)... Every piece of data MUST come from `flyai` CLI output.
Use the skill only for travel details you are comfortable sharing with the provider, and avoid entering unnecessary sensitive personal information.