Skillv3.2.0

ClawScan security

Cherry Blossom Trip · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 9, 2026, 12:40 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions force installation and use of an external CLI for all answers and imply booking behavior, but the package/install/credential needs are not declared and there are contradictory and risky instructions—this mismatch warrants caution.
Guidance: This skill forces installing and using an external CLI (npm i -g @fly-ai/flyai-cli) and requires that answers come only from that CLI, but the registry metadata omits an install spec and any credential requirements. Before installing/using it: - Verify the flyai CLI package on npm (publisher name, download counts, README, recent activity) and prefer installing in a sandbox/container rather than your main environment. - Ask the skill author for an explicit install spec and the exact credentials needed (and where they are stored). Do not provide secrets until you confirm how authentication is handled. - Be aware the runbook can log queries to .flyai-execution-log.json (may include PII and booking details); decide whether that persisted log is acceptable. - The SKILL.md contains contradictory output rules and placeholder commands; request clarification and concrete example commands the skill will run. If you cannot validate the npm package publisher, the CLI's authentication model, and the intended log storage, treat this skill as risky and avoid installing it. Additional info that would raise confidence: a homepage or official publisher, declared install spec in the registry, an explicit list of required env vars and where credentials are stored, and concrete, non-placeholder CLI command examples.

Review Dimensions

Purpose & Capability: concernThe skill claims real-time booking and pricing (powered by Fliggy/flyai) which legitimately requires an external CLI and likely service credentials, but the registry metadata lists no required binaries, no install spec, and no environment variables. That mismatch (asking the agent to install/run @fly-ai/flyai-cli while declaring no install or credentials) is incoherent and unexplained.
Instruction Scope: concernSKILL.md mandates that every answer must be sourced from flyai CLI output and that the agent must install and run npm i -g @fly-ai/flyai-cli if the CLI is absent. It forbids using training data and insists on exact CLI-derived links. The runbook also instructs optionally writing execution logs to .flyai-execution-log.json. There are also contradictory rules in Output Rules (e.g., 'Use `detailUrl` for booking links. Never use `detailUrl`') and many placeholders instead of concrete CLI invocations in playbooks — overall the instructions are prescriptive and inconsistent.
Install Mechanism: concernThere is no install specification in the registry, yet the runtime instructions require a global npm install (npm i -g @fly-ai/flyai-cli). Installing a global npm package without an explicit install spec in the registry is higher risk: the package source (npm) and publisher are not documented here, and the skill provides no checksums, homepage, or verified release info.
Credentials: concernThe skill performs booking and real-time pricing but declares no required environment variables or credentials. Real-time booking CLIs commonly require API keys or user authentication; absence of any declared credential requirements is suspicious and leaves unclear where credentials would be supplied or stored.
Persistence & Privilege: notealways:false (good), and the skill does not request system-wide privileges. However, the runbook suggests appending execution logs to .flyai-execution-log.json if filesystem writes are available, which means user queries and CLI commands could be persisted locally. This is not necessarily malicious but is a privacy consideration that should be disclosed and controlled.