Skillv3.2.0

ClawScan security

Water Park Guide · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 11, 2026, 7:51 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches a water-park search helper, but it asks the agent to install and run an external npm CLI (global install) and omits declaration of any credentials or install artifacts — these gaps are disproportionate and deserve caution.
Guidance: This skill is not obviously malicious but has several red flags. Before installing or using it: (1) Do not let the agent perform the global npm install automatically — run `npm i -g @fly-ai/flyai-cli` yourself in a controlled environment (container or VM) and inspect the package (package.json, repository, maintainers) on npm/GitHub. (2) Verify how flyai-cli authenticates and whether it will request API keys or save credentials; the skill does not declare any required secrets. (3) Be cautious because the SKILL.md references local reference files that are missing — the agent might attempt to search the filesystem or external URLs. (4) If you cannot vet the flyai package, prefer running queries manually against a vetted service or decline installation. If you want a safer test, run the CLI in an isolated sandbox and monitor network and filesystem activity.

Review Dimensions

Purpose & Capability: noteThe SKILL.md focuses on finding and booking water-park POIs via a 'flyai' CLI which is coherent with a travel/search helper. However the description advertises much broader travel functionality (flights, hotels, visas, insurance) that is not implemented or documented in the provided runtime instructions, creating a mismatch between advertised capabilities and the actual, narrow CLI commands.
Instruction Scope: noteRuntime instructions are prescriptive and constrained to using the flyai CLI for all answers (no training-data responses allowed). They do not ask the agent to read system files or environment variables, which is good, but they reference supporting files (references/*.md) that are not present in the skill bundle — the agent might try to locate them. The rule that every result must include a [Book]({detailUrl}) link is strict but consistent with the stated booking purpose.
Install Mechanism: concernThere is no declared install spec in the registry metadata, but SKILL.md mandates running `npm i -g @fly-ai/flyai-cli` if the CLI is missing. Instructing a global npm install is a high-impact action (network download, package scripts, system-wide write) and should have been declared. The package’s provenance (npm name only) is not audited here — installing unvetted global packages is a real risk.
Credentials: concernThe skill declares no required env vars or credentials, yet it performs booking-related operations via a third-party CLI (likely needing authentication to book/pricing endpoints). The absence of declared credentials or hints about how authentication is handled is a proportionality gap: the CLI may prompt for or rely on secrets not declared in the skill metadata.
Persistence & Privilege: concernalways:false (normal) and the skill is user-invocable. However the instructions explicitly require a global npm install, which modifies the host environment and grants persistence to the flyai CLI; that side-effect is not captured in the registry install metadata and increases the blast radius if the package is malicious or buggy.