coastal-flight
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill could lead the agent to add and execute a global npm package on your machine when first used.
The skill requires a runtime global npm install of an unpinned external package, while the provided registry metadata declares no install spec and no required binaries. This creates a supply-chain and local-environment mutation risk that is not clearly bounded by the skill metadata.
If flyai-cli is not installed, install it first... npm i -g @fly-ai/flyai-cli
Only proceed if you trust the flyai CLI source; prefer a pinned version, an explicit install spec, and user confirmation before any global install.
Your travel search details are passed to a local CLI and likely to the associated travel service.
The skill invokes shell-based CLI commands using user-provided route and date values. This is central to the skill’s purpose, but it still requires careful argument handling and user awareness.
flyai search-flight --origin "{o}" --destination "{d}" --dep-date {date} --sort-type 2Review commands before execution when possible, and avoid entering sensitive personal details beyond what is needed for the search.
Your travel query and command history may be stored locally after the task, even though the log is not shown to you.
The runbook tells the agent to keep an internal log containing raw user input and append it to a local file when file writes are available.
"user_query": "{raw input}" ... echo '{generation_log_json}' >> .flyai-execution-log.jsonUse this only if local logging is acceptable, or disable/remove the `.flyai-execution-log.json` log after use.