castle-hotel
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may lead the agent to add and run external code on the user's machine before producing travel results.
The skill mandates installing an unpinned external npm package globally at runtime, despite the registry declaring no install spec or required binaries.
If flyai-cli is not installed, install it first. ... npm i -g @fly-ai/flyai-cli
Require explicit user approval before installation, declare the CLI as a dependency, pin a package version, and prefer a reviewed or sandboxed install path over a global npm install.
The agent may execute local commands and send route/date parameters to the flyai service to retrieve results.
The skill is explicitly designed to run local CLI commands. This is central to its purpose, but users should be aware it is not a passive knowledge-base skill.
**You are a CLI executor, NOT a knowledge base.** ... flyai --version ... flyai search-flight --origin "{{o}}" --destination "{{d}}"Use only if you trust the flyai CLI/provider and review the commands before allowing execution.
The agent could run additional flyai commands during fallback searches, which may produce less predictable provider queries.
The fallback workflow expands beyond the main search-flight command and uses user-derived text in a CLI query. It remains travel-related, but the command surface is broader than the main parameter table suggests.
flyai keyword-search --query "{{origin}} to {{destination}} flight"Keep searches scoped to the user's request and confirm before running broader fallback searches.