christmas-flight
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly aligned with flight search, but it tells the agent to install an unpinned global npm CLI at runtime without that dependency being declared in the install metadata.
Install only if you are comfortable with an agent using a third-party travel CLI and potentially installing it globally via npm. Verify the @fly-ai/flyai-cli package and version yourself, and require approval before any install or booking-link workflow runs.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could install third-party executable code globally on your machine before returning flight results.
The skill directs the agent to install an unpinned global npm package at runtime. This dependency is not declared in the registry requirements or install spec, making the supply-chain and local-environment impact under-disclosed.
If flyai-cli is not installed, install it first... FAIL: `command not found` -> ```bash npm i -g @fly-ai/flyai-cli flyai --version ```
Require explicit user approval before installation, declare the CLI as a dependency in metadata/install specs, pin the package version, document provenance, and prefer a scoped or sandboxed install over npm -g.
The agent may run CLI options or fallback commands that were not clearly included in the main allowed-parameter table.
The instructions define a strict parameter allow-list, but then use a flag not present in that list. Other reference files add further unlisted flags and a keyword-search command, making the intended command boundary unclear.
NEVER invent CLI parameters. Only use parameters listed in the Parameters Table below... Playbook D: `flyai search-flight --origin "{{o}}" --destination "{{d}}" --dep-date {{date}} --journey-type 1 --sort-type 2`List every permitted command and flag in one consistent allow-list, or remove unsupported playbooks and fallback commands.