Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Weekend Flights
v3.2.0Search flights for quick weekend getaways — auto-suggests Friday/Saturday departure and Sunday/Monday return for a perfect 2-3 day escape. Also supports: fli...
⭐ 0· 38·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to be 'Powered by Fliggy (Alibaba Group)' in the description but all runtime instructions use an external CLI '@fly-ai/flyai-cli' and flyai commands — branding/implementation mismatch that suggests copy/paste or outdated metadata. Requiring an external flight-search CLI is reasonable for its stated purpose, but the Fliggy vs flyai inconsistency is unexplained.
Instruction Scope
SKILL.md tightly constrains answers to data produced by the flyai CLI (reasonable), but it also: (1) mandates installing and invoking an external global npm package at runtime; (2) includes a self-test that forces re-execution if output lacks a specific [Book](...) link, which could cause repeated CLI runs; and (3) references local support files (references/*.md) that are not present in the skill bundle. These behaviors increase operational complexity and the chance the agent will perform repeated installs/commands or get stuck in loops.
Install Mechanism
There is no formal install spec, but the skill instructs the agent to run `npm i -g @fly-ai/flyai-cli` if flyai isn't present. Installing a third-party global npm package at runtime is a normal way to use a CLI, but it carries the usual risk of executing code from the npm registry. The skill provides no checksum, official upstream URL, or vendor verification.
Credentials
The skill does not request environment variables, credential files, or configuration paths beyond installing and invoking the CLI. No secrets are required by the SKILL.md, which is proportionate to a read-only flight-search function.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and does not declare persistent agent-level privileges. The main privileged action is instructing a global npm install, which affects the host but is within the scope of using an external CLI.
What to consider before installing
This skill appears designed to use an external CLI to provide live flight results, which is reasonable — but check these before you install or allow autonomous execution:
- Verify the npm package: inspect the @fly-ai/flyai-cli package on the npm registry/GitHub (publisher, stars, recent releases, and source) before running a global install.
- Address the branding mismatch: the SKILL.md says 'Powered by Fliggy' but uses 'flyai'; ask the author which service is actually used and why metadata differs.
- Beware of the self-test and re-execution rule: the instruction to re-run if output lacks a [Book](...) link could cause repeated CLI executions. If you permit autonomous agent actions, consider disabling automatic installation or limiting retry behavior.
- The skill references local reference files that are not included; this may cause the agent to fail or behave unpredictably. Ask the maintainer to include or remove those references.
- If you lack confidence in the npm package, run the CLI installation yourself in a sandbox/container, or deny the skill permission to perform global installs. Ask the skill author for an explicit upstream URL, code repository, and package signature to increase trust.Like a lobster shell, security has layers — review code before you run it.
latestvk97ebd7d55d4yyh87gm0mpgajn84nrvs
License
MIT-0
Free to use, modify, and redistribute. No attribution required.