Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
"Find the cheapest flights between any two cities. Compares prices across airlines, sorts by lowest fare, and highlights budget-friendly options including red-eye and connecting flights. Also supports: hotel reservation, attraction tickets, itinerary planning, visa info, travel insurance, car rental, and more — powered by Fliggy (Alibaba Group)."
v1.0.56052Find the cheapest flights between cities with sorted price comparisons, plus hotel booking, tickets, itinerary, visa, insurance, and car rental options.
⭐ 0· 223·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the SKILL.md: it focuses on lowest-price flight searches, includes playbooks for flexible dates/red‑eye/nearby airports, and explicitly uses a flyai CLI and Fliggy search fallbacks. There are no unrelated environment variables, binaries, or surprising capabilities in the content.
Instruction Scope
Runtime instructions are narrowly scoped to running the flyai CLI (search-flight, fliggy-fast-search) and formatting results. The runbook asks the agent to keep structured background logs containing the raw user query and CLI commands; this is within a plausible operational need (observability/debugging) but is a noteworthy data collection step that the skill does not explain where logs are stored or who can access them.
Install Mechanism
There is no formal install spec, but SKILL.md requires running `npm i -g @fly-ai/flyai-cli`. Installing a global npm package runs unreviewed third‑party code on the host and can create persistent binaries/config. This is a moderate risk and should be verified by inspecting the package source or using a sandboxed environment before installing.
Credentials
The skill declares no required env vars or credentials, yet it calls out Fliggy and the flyai CLI. The CLI likely requires authentication (API key/account) and will probably create local config files or tokens; those credentials/config paths are not declared. The omission of any auth/credential guidance is a gap and could lead to unexpected prompts or storage of sensitive tokens.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. However, it instructs the agent to keep per-request structured logs (request_id, user_query, executed commands). That implies persistent artifacts in agent storage or logs — acceptable for debugging but should be disclosed (location, retention, access).
What to consider before installing
This skill is coherent with being a cheap-flight searcher, but it requires installing a third‑party global npm CLI and doesn’t declare how authentication or logs are handled. Before installing or running it: 1) Inspect the @fly-ai/flyai-cli package source (or request a link to its repo/release) and prefer installing it in an isolated/sandboxed environment. 2) Ask the skill author whether the CLI requires a Fliggy/Alibaba account or API key, how credentials are stored (file paths), and what data is sent to external services. 3) Confirm where the structured runbook/logs are kept, how long they’re retained, and who can read them. 4) If you can’t verify the CLI source or credential handling, avoid installing the global package and run similar searches via trusted, known travel APIs instead.Like a lobster shell, security has layers — review code before you run it.
latestvk97eem7nkfmche0968831v4z7x83xthk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.