Skillv3.2.0

ClawScan security

Concert Event Tickets · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 9, 2026, 2:47 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions largely match a ticket-search tool, but it asks the agent to globally install and run a third‑party CLI, write execution logs, and contains contradictory/ambiguous instructions — these mismatches and operational risks merit caution before installing or running it.
Guidance: Before installing or running this skill, consider the following: - The skill forces use of a third‑party CLI and tells the agent to run `npm i -g @fly-ai/flyai-cli`. Installing global npm packages changes your system and may require elevated privileges; verify the package name, publisher, and official source (npm registry page, GitHub repository, checksums) before installing. If you must test, run it in a disposable or sandboxed environment (container, VM). - The SKILL.md instructs the agent to write an execution log (.flyai-execution-log.json) containing user queries and commands. If that log would be persisted on your machine, it could expose sensitive queries/ids — confirm where logs are stored and consider disabling or isolating them. - There are contradictory/ambiguous instructions in the document (example: the line about using vs never using `detailUrl`). Ask the skill author to clarify these contradictions — ambiguous rules increase the chance of incorrect or unsafe outputs. - The description mentions broad travel services (flights, hotels, visa info) but the playbooks only cover events/tickets. Confirm the true scope and whether additional CLI commands or credentials are required for those extra features. - Because the registry metadata contains no install provenance or homepage, treat the package as unverified until you can confirm its origin. If you are not comfortable, do not install the CLI globally and prefer a sandboxed execution environment. If you want, I can: (a) draft questions to ask the skill author for clarification, (b) show a minimal safe checklist for testing the CLI in a container, or (c) attempt to map all flyai CLI commands referenced so you can validate them against an upstream project page.

Review Dimensions

Purpose & Capability: noteThe stated purpose (find events and provide booking links) aligns with the required use of a dedicated CLI (flyai). However the description also mentions broad travel services (flights, hotels, visa, etc.) that are not reflected in the playbooks and parameters, which suggests scope creep. The manifest lists no install or credentials but the SKILL.md requires installing a third‑party CLI — this is inconsistent with the 'no install spec' metadata.
Instruction Scope: concernSKILL.md forces all data to come from the flyai CLI and instructs the agent to install the CLI if absent. It also instructs creating and persisting a local execution log (.flyai-execution-log.json) containing full request data. The file write behavior is optional 'if file system writes are available' but present in runbook; that can expose user queries and results on disk. There are also contradictory/ambiguous output rules (e.g., 'Use `detailUrl` for booking links. Never use `detailUrl`.') which could cause incorrect/unsafe behavior. The instructions do not ask to read unrelated system files or credentials, but the forced install+logging and ambiguous rules raise scope and privacy concerns.
Install Mechanism: concernThe skill is instruction-only in the registry (no install spec), yet the runtime instructions mandate running `npm i -g @fly-ai/flyai-cli`. A global npm install can modify the host environment, may require elevated privileges on some systems, and installs third‑party code without checksum or verified source. The registry should have declared an install spec or explicit provenance; absence of that metadata plus an in‑text install command is a mismatch and increases risk.
Credentials: noteThe skill does not request environment variables or credentials, which is proportionate for a read-only search/booking tool. However, installing a global CLI and writing execution logs are actions that affect the environment and may expose user data on disk. The skill references being 'Powered by Fliggy (Alibaba Group)' but does not request any Alibaba creds — this is not necessarily malicious but is a discrepancy to verify if the flyai backend actually requires third‑party auth.
Persistence & Privilege: concernThe skill does not set always:true and does not request special system privileges in the manifest. However, it instructs optional persistent logging to a .flyai-execution-log.json file and enforces global installation of a CLI (npm -g), which can result in persistent system changes and may require elevated permissions. Those behaviors increase persistence/privilege impact compared with a pure instruction-only skill.