Skillv3.2.0

ClawScan security

birthday-flight · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 24, 2026, 8:08 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's runtime instructions mostly match a CLI-based flight-booking purpose, but there are several incongruities and operational risks (npm global install, mismatched vendor branding, unlisted CLI flags, and a forced re-execution/self-test rule) that warrant caution before installing or allowing autonomous execution.
Guidance: Before installing or enabling this skill: 1) Ask the skill author to clarify the vendor: is it actually Fliggy/Alibaba or 'flyai'? Request a homepage, repository link, or official package URL for @fly-ai/flyai-cli. 2) Do not allow the agent to run global npm installs without review—global installs run third-party code on your system. If you must proceed, run the npm install in a sandboxed environment and inspect the package source. 3) Confirm Node.js/npm availability and whether you permit global packages. 4) Note the SKILL.md inconsistencies (unlisted flags like --max-price, extra commands, and the 'self-test' loop) — ask the author to fix them; they could cause repeated executions or unexpected commands. 5) If you want to try safely, first run a harmless query in a controlled environment and inspect the raw CLI output the agent would receive. If the author cannot provide a verifiable package homepage/repo or explain the Fliggy vs flyai discrepancy, treat the skill as untrusted.

Review Dimensions

Purpose & Capability: noteThe skill claims to be "powered by Fliggy (Alibaba Group)" but all runtime behavior relies on an npm package and a CLI named flyai/@fly-ai/flyai-cli. Asking to install and use a third-party CLI is coherent for a CLI-driven booking skill, but the branding mismatch (Fliggy vs flyai) is unexplained and should be clarified by the author.
Instruction Scope: concernThe SKILL.md requires that every answer come from flyai CLI output and enforces a 'self-test' that forces re-execution if no [Book](...) links are present. This can lead to repeated CLI calls or loops if the CLI returns no links. The documentation also references commands/flags not listed in the Parameters table (e.g., --max-price, --seat-class-name, flyai keyword-search), which contradicts the rule 'NEVER invent CLI parameters.' These inconsistencies can cause the agent to run unexpected commands or loop attempting to satisfy the Book-link requirement.
Install Mechanism: concernAlthough the skill has no formal install spec, the SKILL.md instructs installing a global npm package (npm i -g @fly-ai/flyai-cli). Installing a global npm package is a moderate-risk operation: it executes third-party code on the host, requires npm/Node (the doc suggests Node but doesn't check it before attempting install), and the package's provenance/ homepage/release signatures are not provided. The registry package name looks plausible but its source is unknown.
Credentials: okThe skill does not request environment variables, credentials, or access to config paths. This is proportionate to a read-only query/booking lookup CLI skill. Note: the runtime expects the host to allow global npm installs and to have Node/npm available—these are implicit system dependencies rather than secrets.
Persistence & Privilege: okThe skill is not marked always:true and doesn't request elevated persistent system-wide privileges in the manifest. It instructs installing a global CLI tool (which modifies the system), but it does not claim to change other skills or agent configuration. Autonomous invocation is allowed (default) — normal for skills — but combined with the install instruction this increases potential impact if the CLI is untrusted.