babymoon
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent travel-search skill, but it asks the agent to install and run an unpinned global npm CLI that was not included in the review.
Review the global npm install before using this skill. If you proceed, approve installation only from a trusted source, consider running it in a sandbox or local project scope, avoid sharing unnecessary pregnancy or medical details, and confirm all booking links directly with the travel provider.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing a global npm package can execute package installation scripts and leave a persistent command on the user’s machine.
The skill requires installing an unpinned global npm package whose source code is not part of the reviewed artifacts.
If flyai-cli is not installed, install it first... npm i -g @fly-ai/flyai-cli
Only proceed if you trust the flyai package source. Prefer a declared, pinned, reviewed install spec or a sandboxed/local install with explicit user approval.
Poorly parsed or malformed input could cause command errors or unsafe shell interpolation if an agent executes the template directly.
The skill builds shell-style CLI commands from user-derived travel parameters; this is expected for the purpose, but arguments should be validated and safely passed.
Collect required parameters from user query... flyai search-flight --origin "{{o}}" --destination "{{d}}" --dep-date {{date}} --sort-type 2Validate dates and city names, escape or pass arguments as structured command arguments, and ask before running commands that install software or change the environment.
Your departure, destination, dates, and related travel preferences may be shared with the travel provider when searches are run.
The skill sends user travel search details to an external provider through the flyai CLI, which is expected for flight search but should be visible to users.
powered by Fliggy (Alibaba Group)... flyai search-flight --origin "{{o}}" --destination "{{d}}" --dep-date {{date}}Share only the travel details needed for the search, avoid including unnecessary medical or personal information, and verify booking links before purchasing.