Skillv3.2.0

ClawScan security

group-flights · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 25, 2026, 10:54 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is mostly coherent with a CLI-driven group-flight booking workflow, but it asks the agent to install and run a third‑party npm CLI (including sudo) and enforces re-execution/logging behaviors that are disproportionate and risky without further provenance.
Guidance: Before installing or invoking this skill, consider the following: (1) The skill requires installing and running a third‑party npm package (@fly-ai/flyai-cli) globally — that will execute code on your machine and may require sudo; only proceed if you trust the package and its publisher. (2) The skill's files do not include a homepage or source repository for the CLI or the skill, so you cannot easily verify the upstream code. (3) The skill's runbook instructs writing an execution log that may contain raw user queries and CLI output; if you handle sensitive travel or personal data, be cautious about local log persistence. (4) The skill does not request API keys here — authentication likely occurs inside the CLI; ask how the CLI authenticates and where credentials are stored. (5) If you want to proceed, review the npm package on the registry (author, downloads, recent versions, repository, and maintainers) and consider installing the CLI in a controlled environment (container or VM) rather than your primary machine. If you want, I can (a) list concrete checks to inspect the @fly-ai package before running it, or (b) suggest a safer manual workflow that doesn't perform global installs automatically.

Review Dimensions

Purpose & Capability: noteThe name/description (group flight booking, bulk fares) aligns with the runtime instructions: every search must come from a flyai CLI. Requiring an external booking CLI is reasonable for real‑time pricing. Minor mismatch: the skill claims 'Powered by Fliggy (Alibaba Group)' but provides no homepage/source or documented trust boundary for the @fly-ai CLI package.
Instruction Scope: concernThe SKILL.md mandates always obtaining results from the flyai CLI (never using training data) and instructs the agent to install the CLI if missing. It also enforces a strict post‑check (responses must include [Book](...) links) and tells the agent to re-execute until that condition is met. Those rules could lead to repeated network installs/command execution and retried runs. The runbook also instructs logging of raw user queries and CLI calls and suggests persisting them to .flyai-execution-log.json, which records potentially sensitive user input.
Install Mechanism: concernThere is no formal install spec in the package metadata; installation is requested at runtime via `npm i -g @fly-ai/flyai-cli` (and even `sudo npm i -g ...` as a fallback). Global npm installs run arbitrary code on the host and are higher risk. The skill gives no verification steps (no checksum, no official homepage), and the package owner/source is unknown, increasing exposure.
Credentials: noteThe skill does not request environment variables or explicit credentials in metadata, which reduces direct credential-exfiltration risk. However, the flyai CLI presumably handles auth (not documented here). The runbook logs user queries and CLI responses (which could include PII or booking tokens) to a local file if filesystem writes are available; that is a data‑handling behavior users should be aware of.
Persistence & Privilege: noteThe skill does not request always:true or modify other skills. It does instruct the agent to create per-request logs and append them to .flyai-execution-log.json when possible (persistent local storage). The bigger persistence/privilege concern is the instruction to perform global npm installs (and sudo) at runtime, which elevates the skill's impact on the host.