anniversary-flight
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may pull and install third-party code onto the user’s machine before performing a flight search.
The skill requires installing an external npm package globally, with no version pin and no install spec or reviewed package contents included in the artifacts.
npm i -g @fly-ai/flyai-cli
Require explicit user approval before installation, pin the package version, declare the binary/install requirement in metadata, and provide provenance or reviewable code for the CLI dependency.
A normal travel query could cause the agent to modify the local environment and run newly installed software without a clear confirmation step.
The instructions make installation and subsequent CLI execution mandatory rather than user-confirmed, creating an install-to-run flow for external code.
If flyai-cli is not installed, install it first. Do NOT skip to a knowledge-based answer.
Change the workflow to ask the user before installing or running new software, and provide a safe fallback when the CLI is unavailable.
Your travel preferences may be shared with the external flight-search provider as part of the search.
The skill relies on a third-party travel provider via the flyai CLI, so user travel search details such as origin, destination, and dates are likely sent to that provider.
powered by Fliggy (Alibaba Group)
Only use the skill if you are comfortable sending the requested travel details to the flyai/Fliggy service, and avoid entering unnecessary personal information.