Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Early Flights
v3.2.0Find the earliest departing flights of the day — maximize your day at the destination by arriving before noon. Sorted by departure time. Also supports: fligh...
⭐ 0· 42·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill claims to find early flights and its instructions consistently wrap the @fly-ai/flyai-cli to perform searches and return booking links. Asking to install and invoke flyai-cli is coherent with the stated purpose; no unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md strictly constrains answers to data returned by flyai CLI and provides command templates and output formatting rules. The guidance to never answer from training data is consistent but cannot be enforced by static review. The runbook suggests appending an execution log file ('.flyai-execution-log.json') if filesystem writes are available — this is expected for auditing but means user queries and parameters may be persisted locally.
Install Mechanism
There is no formal install spec in the skill bundle; instead the runtime instructions direct the agent to run 'npm i -g @fly-ai/flyai-cli' if the CLI is missing. Installing a third-party npm package at runtime is coherent with the skill's function but introduces standard supply-chain/network risks (arbitrary code from npm). Users should trust the flyai package and its publisher before allowing automatic installs.
Credentials
The skill requests no environment variables or credentials. The only potential sensitive handling is logging user queries and commands in the optional runbook log; that is proportional to an execution/audit need but may persist user-supplied data (dates, origins, etc.).
Persistence & Privilege
always:false (normal). The skill does not request elevated privileges or modify other skills. It does include an optional write to a local '.flyai-execution-log.json' file if filesystem writes are available — this creates persistent logs in the working directory and should be noted by users who care about local persistence of queries.
Assessment
This skill appears to do what it says: it wraps the flyai CLI to return early‑flight results with booking links. Before installing or running it, decide whether you trust the @fly-ai/flyai-cli npm package (the skill will prompt installing it if missing) and be aware the agent may write an execution log (.flyai-execution-log.json) containing your queries/parameters to the local working directory. If you prefer not to allow runtime installs or local logs, install the flyai CLI yourself and/or run the skill in an environment where you control file writes.Like a lobster shell, security has layers — review code before you run it.
latestvk979mdw8xkts8wvw6cgzbzpmf984fmeh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.