beach-hotel
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is a coherent travel-search helper, but it tells the agent to install an unpinned global npm CLI during use without a declared install spec or clear user approval.
Review carefully before installing. The travel-search workflow itself is coherent, but do not let the agent globally install @fly-ai/flyai-cli unless you trust that npm package and approve the system change. Prefer installing a pinned version yourself or using a reviewed install spec.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill could lead the agent to change your local system by globally installing external npm software before answering a travel query.
The skill directs runtime installation of an unpinned global npm package. The provided metadata says there is no install spec and no required binary, so users do not get a clear pre-install review of this dependency.
If flyai-cli is not installed, install it first... npm i -g @fly-ai/flyai-cli
Require explicit user approval before installation, declare flyai as a required binary or install dependency, pin the npm package version, and document the package source/provenance.
Malformed or unexpected user input could cause command errors or unintended CLI behavior if an agent substitutes it unsafely.
The skill builds shell CLI commands from user-provided travel parameters. This is expected for a travel-search CLI, but inputs should be validated and safely quoted before execution.
flyai search-flight --origin "{{o}}" --destination "{{d}}" --dep-date {{date}} --sort-type 2Treat all route and date values as data, validate dates and city names, and avoid executing raw user-provided strings as shell syntax.
If the provider returns no valid booking links, the agent may repeat external CLI searches instead of stopping promptly.
The output validation tells the agent to re-run CLI commands whenever booking links or CLI-backed data are missing. This is purpose-aligned for avoiding fabricated travel results, but it should have a retry limit.
Any NO -> re-execute from Step 2.
Add explicit retry limits and a clear fallback response when no valid results or booking links are available.