Skillv3.2.0

ClawScan security

golf-trip · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 24, 2026, 6:03 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is broadly coherent for a flight-booking helper but it forces installing and trusting an unverified npm CLI and claims a Fliggy affiliation that isn’t substantiated in the metadata — verify the CLI/package before installing or letting the agent run it automatically.
Guidance: Before installing or enabling this skill, consider the following: (1) The skill forces the agent to install and run '@fly-ai/flyai-cli' from npm with no homepage or source listed — verify the npm package, publisher, and source repository yourself (inspect package contents, readme, and who publishes it). (2) The description references 'Fliggy (Alibaba Group)' but the package/CLI name doesn't match that brand — ask the author to clarify the integration and provide authoritative links. (3) A global npm install runs code on your machine/agent environment and may require elevated permissions; run it in a sandbox or isolated environment first. (4) The skill's strict rule to only respond with CLI-derived results and to re-execute if booking links are missing could cause repeated network activity — confirm rate/timeout behavior and whether the CLI collects telemetry or requires credentials. (5) If you cannot verify the CLI package and publisher, decline or run the skill in a tightly controlled environment; request the skill owner to provide source/homepage and an explanation of the Fliggy claim. If you want, ask me to list concrete checks to perform on the npm package (e.g., check package.json, repository field, unpack and review scripts, look for postinstall hooks).

Review Dimensions

Purpose & Capability: noteThe skill's name and description (golf-trip flight/hotel/etc.) match the runtime instructions that rely solely on a 'flyai' CLI. However the description claims 'powered by Fliggy (Alibaba Group)' while the CLI and npm package referenced are '@fly-ai/flyai-cli' — there is no homepage/source or declared credentials linking this skill to Fliggy. That branding mismatch is unexplained and worth verifying.
Instruction Scope: okSKILL.md confines runtime actions to the flyai CLI and templates; it does not instruct the agent to read arbitrary files, environment variables, or external endpoints beyond running the CLI. It enforces strict rules (must use CLI output, must include [Book](detailUrl) links) which prevent fallback to model knowledge. One operational risk: the re-execute-on-failure requirement and the 'must have [Book] link' rule could cause repeated CLI invocations if outputs are missing.
Install Mechanism: noteThere is no install spec in registry metadata (instruction-only), but the SKILL.md mandates installing an npm package at runtime: 'npm i -g @fly-ai/flyai-cli' if flyai is missing. Installing a global npm package is common for CLIs, but the package and publisher are not verifiable from the skill bundle (no homepage or source repo). That creates a trust decision: the agent will download and run code from the npm registry without a listed source to validate.
Credentials: okThe skill does not request any environment variables, credentials, or config paths. This is proportionate to its stated function (running a public CLI). There are no unexplained secrets requested in the skill metadata or instructions.
Persistence & Privilege: okFlags: always=false and no special privileges. The skill does not ask to persist itself or modify other skills/configs. The only persistent effect would be the npm global install the agent might perform at runtime (it would write to the host if allowed), which is an expected side-effect but should be intentional and sandboxed by the user/operator.