airport-lounge
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing an unreviewed global npm package can run third-party code on the user's machine and change the local environment before any travel result is shown.
The skill is presented as instruction-only with no install spec, but it directs installation of an unpinned external npm package at runtime.
If flyai-cli is not installed, install it first... npm i -g @fly-ai/flyai-cli
Declare the CLI as an explicit dependency, pin the package/version, document its source, and require clear user confirmation before installation.
The agent may modify the user's system or execute newly downloaded code without a separate approval step.
The skill makes local command execution and package installation mandatory, and the install can execute npm lifecycle scripts or place executables globally.
Step 0: Environment Check (mandatory, never skip)... flyai --version ... FAIL: command not found -> npm i -g @fly-ai/flyai-cli
Ask the user before running installation commands, prefer a local sandboxed install, and avoid mandatory execution of downloaded code from within the skill instructions.
Travel search details may be sent to the external provider as part of normal operation.
The skill routes travel searches through the flyai/Fliggy provider, so origin, destination, dates, and preferences are expected to leave the local agent context.
powered by Fliggy (Alibaba Group)... Every piece of data MUST come from `flyai` CLI output.
Use the skill only for travel details you are comfortable sharing with the provider, and avoid entering unnecessary sensitive personal information.