cargo-flight
WarnAudited by ClawScan on May 10, 2026.
Overview
This flight-search skill is purpose-related, but it tells the agent to install an unpinned global npm CLI, including a sudo fallback, and to save raw query logs locally.
Install only if you trust the external @fly-ai/flyai-cli package and do not allow automatic sudo/global installs without review. Treat the booking links as passenger-flight links for planning; actual air cargo shipment still requires contacting the airline cargo department or a freight forwarder. Avoid using this skill with sensitive shipment or travel details unless logging is disabled or controlled.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may unknowingly let the agent install and run third-party code that was not part of the reviewed skill package.
The skill requires installing an unpinned external npm CLI at runtime, while the supplied artifacts include no reviewed code or install spec for that dependency.
If flyai-cli is not installed, install it first... npm i -g @fly-ai/flyai-cli
Require explicit user approval before installation, declare the binary/install requirement in metadata, pin the package version, and provide provenance or a reviewed install spec.
If followed, the agent could make privileged changes to the user's system during a travel search workflow.
The fallback asks for elevated system privileges to install a global package, which exceeds what is clearly necessary for a flight-search task.
# Fails → sudo npm i -g @fly-ai/flyai-cli
Do not run sudo or global installs automatically; ask the user to install manually or use a local, sandboxed, version-pinned dependency.
Travel routes, shipment details, or other sensitive information typed by the user could remain in a local project directory after the task is finished.
The runbook persists raw user queries and execution details to a local hidden-style log file without clear user notice, retention limits, or path scoping.
"user_query": "{raw input}" ... echo '{generation_log_json}' >> .flyai-execution-log.jsonMake logging opt-in, avoid storing raw user input, define a safe storage location and retention policy, and tell users how to delete the log.
Users could misunderstand the booking links as cargo-shipping bookings unless the caveat is shown clearly.
The skill is branded around booking air cargo, but its own template clarifies that the displayed booking links are not actual cargo-booking confirmation.
Results shown are passenger flights. Actual air cargo booking requires contacting the airline cargo department or a freight forwarder.
Keep the cargo limitation visible in every response and avoid implying that the skill directly books cargo freight.