Back to skill
Skillv3.2.0
ClawScan security
investor-roadshow · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 24, 2026, 6:54 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's behavior matches its travel-booking purpose, but it instructs the agent to install and run an unvetted npm CLI (@fly-ai/flyai-cli) at runtime (global install) which is disproportionate and raises code-execution and persistence risk.
- Guidance
- This skill looks like a legitimate travel-booking wrapper around a third-party CLI, but it requires installing `@fly-ai/flyai-cli` at runtime via `npm i -g` from an unverified npm scope. Installing global npm packages runs code on your machine and can persist binaries; because the package and publisher are not declared in the skill metadata, you should be cautious. Before installing or allowing the agent to run this skill: (1) Inspect the npm package (@fly-ai/flyai-cli) on the npm registry and review its source and publisher; (2) Prefer running the CLI installation manually in a controlled environment (sandbox or container) rather than letting the agent run `npm i -g`; (3) Verify you are comfortable with a global install (permission/elevation); (4) If you cannot vet the package, decline or ask for an alternative skill that uses a well-known API or a declared install spec. If you choose to proceed, limit the agent's privileges and monitor the system for unexpected changes.
Review Dimensions
- Purpose & Capability
- okName, description and CLI commands (flyai search-flight) are coherent: the skill is a travel/roadshow booking helper and relies on a flight-search CLI. No unrelated credentials, binaries, or config paths are requested.
- Instruction Scope
- noteSKILL.md tightly constrains behavior to running the flyai CLI and formatting its JSON output; it does not instruct reading unrelated files or env vars. However it mandates installing the flyai CLI if absent and enforces strict re-execution rules (self-test requiring [Book](...) links) which could cause repeated CLI installs or retries if the environment is flaky.
- Install Mechanism
- concernThere is no declared install spec in the registry metadata, yet the runtime instructions direct the agent to run `npm i -g @fly-ai/flyai-cli`. Installing an npm package from an unverified scope at runtime (global install) is a moderate-to-high risk: the package could contain arbitrary code, persist binaries on the system, or require elevated permissions.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths beyond the use of the flyai CLI. The lack of requested secrets is appropriate for a search/booking helper.
- Persistence & Privilege
- notealways:false and no cross-skill config changes — good. But the mandated global npm install writes binaries to the system (persistence) and may require elevated rights; that increases the blast radius compared to an instruction-only skill that uses preinstalled tools.