coastal-flight
AdvisoryAudited by VirusTotal on Apr 24, 2026.
Overview
Type: OpenClaw Skill Name: coastal-flight Version: 3.2.0 The skill bundle mandates the global installation of an external npm package (@fly-ai/flyai-cli) and forces the agent to execute CLI commands for all user queries, which is a high-risk execution pattern. It also includes instructions in references/runbook.md to write internal execution logs to a local file (.flyai-execution-log.json). While these capabilities are aligned with the stated flight-search purpose, the requirement for high-privilege installation and strict steering of the agent to use external binaries presents a significant security risk.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill could lead the agent to add and execute a global npm package on your machine when first used.
The skill requires a runtime global npm install of an unpinned external package, while the provided registry metadata declares no install spec and no required binaries. This creates a supply-chain and local-environment mutation risk that is not clearly bounded by the skill metadata.
If flyai-cli is not installed, install it first... npm i -g @fly-ai/flyai-cli
Only proceed if you trust the flyai CLI source; prefer a pinned version, an explicit install spec, and user confirmation before any global install.
Your travel search details are passed to a local CLI and likely to the associated travel service.
The skill invokes shell-based CLI commands using user-provided route and date values. This is central to the skill’s purpose, but it still requires careful argument handling and user awareness.
flyai search-flight --origin "{o}" --destination "{d}" --dep-date {date} --sort-type 2Review commands before execution when possible, and avoid entering sensitive personal details beyond what is needed for the search.
Your travel query and command history may be stored locally after the task, even though the log is not shown to you.
The runbook tells the agent to keep an internal log containing raw user input and append it to a local file when file writes are available.
"user_query": "{raw input}" ... echo '{generation_log_json}' >> .flyai-execution-log.jsonUse this only if local logging is acceptable, or disable/remove the `.flyai-execution-log.json` log after use.