Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Business Class Finder
v1.0.1Search premium cabin flights — business class and first class. Compare comfort, lounge access, frequent flyer miles, and value across airlines. Also supports...
⭐ 0· 36·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (searching premium cabins / booking links) aligns with the instructions: it delegates searches to the flyai CLI. No unrelated environment variables, binaries, or config paths are requested.
Instruction Scope
Runtime instructions require installing and invoking the external flyai CLI and forbid using training data. They also instruct the agent to persist an execution log to .flyai-execution-log.json if filesystem writes are available, and the fallback suggests running 'sudo npm i -g' if install fails. Persisting logs and suggesting sudo are scope-creep beyond mere query handling and raise privacy/privilege concerns.
Install Mechanism
No formal install spec is provided in the registry metadata; instead SKILL.md instructs installing @fly-ai/flyai-cli from npm at runtime (global install). Installing an npm package is a reasonable way to get a CLI, but global npm installs and npm postinstall scripts can run arbitrary code — this is a moderate-risk install path. The package origin/version is not pinned and the skill's homepage is empty.
Credentials
The skill does not request environment variables or credentials (good). However, it recommends (in fallbacks) using sudo to install the CLI and may write local logs containing full user queries and CLI output. Asking for elevated install rights and persisting potentially sensitive logs is disproportionate to the declared purpose unless the user explicitly consents and is running in a controlled environment.
Persistence & Privilege
always is false and the skill does not claim to modify other skills or system-wide settings. It does, however, instruct creating a persistent execution log (.flyai-execution-log.json) in the working directory when possible — this is local persistence of user queries and results and should be considered by the user before installing.
What to consider before installing
This skill is an instruction-only wrapper that relies on installing and running the third-party npm CLI @fly-ai/flyai-cli to fetch real-time flight data. Before installing or invoking it:
- Verify the origin and source code of the @fly-ai/flyai-cli package (review its npm page and repository) rather than blindly running npm i -g.
- Avoid running global installs with sudo unless you trust the package and understand the risks; prefer installing in a sandbox or container, or use npx/local install when possible.
- Be aware the runbook suggests writing an execution log (.flyai-execution-log.json) containing user queries and CLI outputs to disk — treat that as potentially sensitive data and ensure it's stored in a safe location or disabled.
- Confirm you are comfortable with the CLI making network calls to remote booking services (this is necessary for live pricing) and review its privacy policy.
- If you want higher assurance, request the skill author/source repository or a pinned package version; otherwise consider running the CLI interactively in an isolated environment first.Like a lobster shell, security has layers — review code before you run it.
latestvk975kaz20tefvrqkb0keyagx1x8435m7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.