Back to skill
Skillv3.2.0
ClawScan security
anniversary · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 24, 2026, 6:20 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's behavior mostly matches its travel-booking purpose, but it asks the agent to install and run a third‑party npm CLI (no provenance/homepage provided) and to persist execution logs — a supply‑chain / data‑persistence risk that users should review before enabling.
- Guidance
- This skill mostly behaves like a normal travel integration, but it directs the agent to install and run a third‑party npm CLI (@fly-ai/flyai-cli) and to write execution logs to .flyai-execution-log.json. Before installing or enabling it, consider: 1) Ask the publisher for the CLI's homepage/repository and inspect the package source and maintainers; 2) Prefer running the CLI yourself (outside the agent) to verify network behavior and requests made; 3) If you enable the skill, run it in a sandboxed environment (or container) to limit global npm installs and filesystem writes; 4) Expect that user queries and results may be persisted to disk — avoid submitting sensitive personal data until you confirm privacy/retention policies. If you cannot verify the CLI package or publisher, treat the skill as higher risk.
Review Dimensions
- Purpose & Capability
- okThe name and description describe a travel booking assistant and the SKILL.md consistently instructs the agent to use a flyai CLI to obtain live flight/hotel results. Requiring a vendor CLI is coherent with the stated purpose. However, the package/source is undocumented in the registry metadata (no homepage/source URL), which reduces transparency.
- Instruction Scope
- concernThe runtime instructions require the agent to run the @fly-ai/flyai-cli and only answer from that CLI output (never from training data). The runbook also instructs logging request details and CLI calls to .flyai-execution-log.json if filesystem writes are available, which will persist user queries and CLI responses (potentially sensitive). The instruction to forcibly install a global npm package and to always rely solely on the CLI expands the agent's runtime actions beyond pure question/answering and should be reviewed.
- Install Mechanism
- concernThere is no install spec in the registry manifest, but SKILL.md tells the agent to run npm i -g @fly-ai/flyai-cli at runtime. Global npm installs are a supply‑chain risk if the package or its publish source isn't verified. The skill provides no homepage, repo, or checksum to validate the CLI package.
- Credentials
- noteThe skill does not request environment variables, credentials, or config paths (good). Still, invoking an external CLI implies network access and the CLI may require or use credentials outside the skill's declared scope. The runbook's logging will capture user queries and CLI outputs, which could include personal data; that persistence is not declared in requires.config and is worth noting.
- Persistence & Privilege
- noteThe skill is not always-on and does not change other skills' settings. However, it instructs appending execution logs to a file (.flyai-execution-log.json) in the working directory, creating persistent artifacts. Combined with installing a global CLI, this gives the skill lasting presence on the host unless manually removed.