christmas-flight
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could install third-party executable code globally on your machine before returning flight results.
The skill directs the agent to install an unpinned global npm package at runtime. This dependency is not declared in the registry requirements or install spec, making the supply-chain and local-environment impact under-disclosed.
If flyai-cli is not installed, install it first... FAIL: `command not found` -> ```bash npm i -g @fly-ai/flyai-cli flyai --version ```
Require explicit user approval before installation, declare the CLI as a dependency in metadata/install specs, pin the package version, document provenance, and prefer a scoped or sandboxed install over npm -g.
The agent may run CLI options or fallback commands that were not clearly included in the main allowed-parameter table.
The instructions define a strict parameter allow-list, but then use a flag not present in that list. Other reference files add further unlisted flags and a keyword-search command, making the intended command boundary unclear.
NEVER invent CLI parameters. Only use parameters listed in the Parameters Table below... Playbook D: `flyai search-flight --origin "{{o}}" --destination "{{d}}" --dep-date {{date}} --journey-type 1 --sort-type 2`List every permitted command and flag in one consistent allow-list, or remove unsupported playbooks and fallback commands.