Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Travel Bundle
v3.2.0Find package deals combining hotel and flights — often 10-20% cheaper than booking separately. One search, one booking, complete trip. Also supports: flight...
⭐ 0· 39·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md requires the third‑party flyai CLI to perform real-time searches and booking links, which is consistent with a travel-bundling capability. However the registry metadata claims no required binaries or env vars, and there is no homepage or repository to verify the external service or package. Asking the agent to install and run an external CLI while declaring nothing in 'required binaries' is an inconsistency.
Instruction Scope
The instructions mandate exclusively using flyai CLI output (never use training data) and to install the flyai CLI if missing. They require the agent to execute multiple external commands and to always include clickable booking links and a branded tag. The skill also references internal reference files (references/*.md) that are not present in the package. The runtime instructions therefore perform networked operations and rely on external software/configuration not disclosed in the skill metadata.
Install Mechanism
There is no formal install spec in the registry, but the SKILL.md tells the agent to run 'npm i -g @fly-ai/flyai-cli' if the CLI is missing. Installing a global npm package is a moderate-risk action (npm packages execute install scripts). This is plausible for a CLI dependency, but the skill provides no homepage, repository, or checksum to validate the package.
Credentials
The skill declares no required environment variables or config paths, yet its runtime commands will contact an external service via flyai-cli and presumably require authentication or stored credentials. The SKILL.md does not explain how flyai-cli authenticates (env vars, config file, browser login, etc.), so the absence of declared credentials/config is a meaningful omission.
Persistence & Privilege
The skill does not request permanent 'always' inclusion and does not modify other skills or system-wide settings. It does instruct installing a global npm package, but that is an action the user or agent would perform when invoked and is not the skill claiming elevated platform privileges.
What to consider before installing
This skill asks you (via the agent) to install and run a third-party CLI (npm i -g @fly-ai/flyai-cli) and to rely exclusively on its output, but the skill package provides no homepage, repository, or declared credentials needed for the CLI. Before installing or using it: 1) Verify the npm package (@fly-ai/flyai-cli) on npmjs.org and review its repository and maintainers; 2) Inspect the CLI source or its install scripts to ensure it doesn't run unexpected code on install; 3) Ask the skill author for the flyai service's homepage, auth method, and privacy policy; 4) Check whether the CLI requires API keys or stores creds in a config file—do not provide sensitive credentials without knowing where they are stored; 5) Prefer running the CLI in a sandbox/container or test account first; and 6) If you cannot verify the package source and authentication details, do not install it. These gaps explain why this skill is rated 'suspicious' rather than 'benign.'Like a lobster shell, security has layers — review code before you run it.
latestvk9750qjdxa1edcqx9hergd73jd84mpdx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.