Skillv3.2.0

ClawScan security

business-flights · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 24, 2026, 8:03 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill’s runtime instructions mostly match a flight-search tool that relies on a third‑party CLI, but there are mismatches and persistence/installation behaviors (global npm install, optional sudo, local logging of queries) that are unexplained and deserve caution before installing or running.
Guidance: This skill appears to be a CLI-driven flight search tool, but exercise caution before installing or running it: - The description claims Fliggy (Alibaba) but the runtime uses an unrelated CLI (flyai/@fly-ai/flyai-cli); ask the publisher for source/homepage and proof of data provider if you need trust guarantees. - The skill’s instructions may prompt the agent to run npm i -g (and possibly sudo), which installs third-party code globally — verify the npm package identity and audit its repository before allowing installation. - The runbook may append user queries and CLI results to a local file (.flyai-execution-log.json). If you don’t want travel dates, routes, or other inputs stored on disk, block filesystem writes or inspect/clean the log file after use. - Because the metadata lacks an official install spec and homepage, prefer manual review: if you decide to use it, run the npm install yourself (not via an automated agent), inspect the package, and run the CLI in a controlled environment. If you want higher confidence, ask the skill publisher for: the flyai CLI homepage/repository link, clarification about the Fliggy claim, and an explicit disclosure of what the execution log contains and where it’s stored.

Review Dimensions

Purpose & Capability: concernThe skill claims to be “powered by Fliggy (Alibaba Group)” in the description but the runtime requires a different CLI (flyai / @fly-ai/flyai-cli). No homepage or source is provided to reconcile this. Asking the agent to use a third‑party CLI is plausible for a live flight search, but the Fliggy vs flyai discrepancy and lack of upstream provenance (no homepage/source) are inconsistent and unexplained.
Instruction Scope: concernSKILL.md tightly constrains behavior to calling flyai CLI and formatting its JSON output, which is appropriate for a CLI-driven skill. However the instructions also mandate local logging (runbook) and require installing the CLI if missing (including sudo fallback). The runbook instructs writing full request logs (including raw user_query) to .flyai-execution-log.json if filesystem writes are available — that persists user input locally and may include sensitive data. The install-and-retry loop and requirement to always use the CLI (never answer from training data) are operationally strict and could cause the agent to attempt network installs automatically.
Install Mechanism: concernRegistry metadata contains no install spec, but SKILL.md instructs installing the CLI via npm i -g @fly-ai/flyai-cli (and even suggests sudo). Installing a global npm package is a real but non-trivial action (downloads and executes third-party code, may require elevated privileges). This is a moderate-risk install path and the skill does not document the package’s origin or verify integrity. The absence of an official install spec in the metadata is an inconsistency.
Credentials: noteThe skill requests no environment variables or credentials, which is proportional for a read-only flight search. Positive: it does not ask for unrelated secrets. Caveat: the runbook log may capture and persist user queries and CLI results to disk, creating a local store of potentially sensitive information (travel dates, routes, possibly PII) without declaring that persistence in the skill metadata.
Persistence & Privilege: noteThe skill is not marked always:true and does not request special agent privileges. However, SKILL.md explicitly instructs writing an execution log file (.flyai-execution-log.json) when filesystem writes are available. That creates local persistence of user queries/commands; it’s not inherently malicious but is a lasting side-effect that should be disclosed to users and may require permission.