birthday-trip
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s travel-search purpose is understandable, but it asks the agent to install and run an unpinned global npm CLI and to keep a local raw-query log without clear user control.
Before installing, confirm you trust the @fly-ai/flyai-cli npm package and approve any global installation. Be aware that the skill may send travel search details to the flyai/Fliggy provider and may write a local .flyai-execution-log.json file containing your raw query unless logging is disabled or removed.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could change the local environment and run npm package installation behavior before the user has reviewed or approved the specific CLI code.
The skill instructs the agent to install a global, unpinned npm package at runtime before answering. The provided artifacts do not include the package contents, version pin, provenance, or an install spec for review.
"If flyai-cli is not installed, install it first." ... "npm i -g @fly-ai/flyai-cli"
Verify the package source before use, require explicit user approval for installation, pin a reviewed version, and declare the required binary/install mechanism in metadata.
Birthday, travel-date, destination, and other personal trip details may remain in the workspace after the task is finished.
The runbook directs the agent to log the raw user query and execution details to a persistent local file when file writes are available, but does not define retention, user consent, redaction, or a skill-scoped storage path.
"user_query": "{raw input}" ... "echo '{generation_log_json}' >> .flyai-execution-log.json"Ask before writing logs, redact raw user input, store only under a clearly scoped skill directory, and document how users can disable or delete the log.