Skillv3.2.0

ClawScan security

babymoon · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 24, 2026, 6:21 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions mostly match a flight-booking tool, but there are inconsistencies and missing operational details (unknown CLI source, global npm install, and no declared auth) that merit caution before installing or running it.
Guidance: Before installing or enabling this skill, consider the following: (1) It will try to install and run an npm package globally (@fly-ai/flyai-cli) — confirm you trust that npm package and its publisher; ask the skill author for the package homepage, repository link, and publisher info. (2) The description mentions Fliggy but the runtime uses 'flyai' — ask which service actually provides results and whether any API keys or affiliate credentials are required. (3) Global npm installs and CLI execution can change the environment; prefer running this in a sandbox or isolated agent environment if possible. (4) The skill's strict re-execution rules could cause repeated CLI calls; ensure resource limits are in place. If you cannot verify the flyai CLI provenance and authentication details, treat this skill as untrusted until the author provides a repository or official service documentation.
Findings: [no_code_files_present] expected: The skill is instruction-only (SKILL.md + references). The regex scanner had nothing to analyze; absence of code is expected for an instruction-only integration, but it also means runtime behavior depends entirely on external CLI commands.

Review Dimensions

Purpose & Capability: noteThe skill claims to book flights (and related travel items) and its runtime instructions center on a CLI (flyai) that performs searches and returns booking links — this is coherent for a booking skill. However, the description mentions 'powered by Fliggy (Alibaba Group)' while every runtime step references a separate 'flyai' CLI. If the integration is with Fliggy, we'd expect explicit credentials or an explanation of how flyai obtains Fliggy data; the mismatch is unexplained.
Instruction Scope: concernSKILL.md mandates executing the flyai CLI and, if missing, installing it globally via npm. It requires strict rules (never answer from training data, every result must include [Book](detailUrl), re-execute if checks fail). These are operationally prescriptive and could cause repeated CLI installs/executions if requirements fail. The skill does not instruct how to authenticate the CLI (if required), nor does it explain where the CLI comes from or what access it needs.
Install Mechanism: concernThere is no declared install spec in the registry, but the runtime instructions tell the agent to run `npm i -g @fly-ai/flyai-cli`. Installing a global npm package at runtime is a moderate-to-high risk operation because the package source/maintainer is unknown here. The registry metadata provides no homepage or publisher info for the CLI, so the provenance of that package is unclear.
Credentials: concernThe skill declares no required environment variables or credentials, yet it depends entirely on an external CLI. Many booking/affiliate CLIs require API keys or config; the SKILL.md does not explain how the flyai CLI authenticates or whether secret tokens are needed. The absence of declared credentials is an unexplained gap — either the CLI is fully public (unlikely for booking/affiliate operations) or credential handling is omitted from the instructions.
Persistence & Privilege: okThe skill does not request always-on presence, does not declare modifications to other skills or system configs, and has default autonomous invocation settings. That privilege level is normal for a user-invocable booking skill.