Skillv1.0.0

ClawScan security

Duffel Flights · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 22, 2026, 11:31 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill implementation matches its stated Duffel API purpose, but the package metadata omits the required DUFFEL_TOKEN and there are minor metadata/install inconsistencies that you should review before trusting it with real credentials or bookings.
Guidance: This skill appears to be a legitimate Duffel API CLI, but the package metadata omits the required DUFFEL_TOKEN and the repository lists a dependency (requests) without an install step. Before installing: (1) Prefer using a Duffel test token (duffel_test_...) so you only hit the sandbox; (2) Do NOT provide a live DUFFEL_TOKEN unless you fully trust the skill source — a live token can create real bookings and incur charges; (3) Review scripts/duffel.py (it sets Authorization: Bearer <token>, writes /tmp/duffel-last-search.json, and sends passenger data to the Duffel API); (4) Ensure the environment has the requests library or install it in an isolated environment; (5) Consider limiting autonomous agent invocation or disabling model-driven actions until you've tested with a sandbox token; (6) If you proceed with a production token, rotate it afterward and monitor your Duffel account activity.

Review Dimensions

Purpose & Capability: concernThe code and SKILL.md implement searching, offers, booking, order/cancel, seat maps and places lookups against https://api.duffel.com — this is coherent with the skill name/description. However, the registry metadata claims no required environment variables while both SKILL.md and scripts/duffel.py require a DUFFEL_TOKEN. That mismatch is an incoherence in the package manifest (the skill legitimately needs the token, but the metadata does not declare it).
Instruction Scope: okRuntime instructions and the script stay within the claimed scope: they call Duffel API endpoints, save the last search to /tmp/duffel-last-search.json, and do not reference unrelated system paths or other credentials. Note: booking operations will transmit passenger personal data (names, DOB, email, phone, nationality) to Duffel — this is expected for a booking tool but is sensitive and should be handled with care.
Install Mechanism: noteThere is no install spec (instruction-only install), which is low-risk. The repository includes scripts/requirements.txt listing 'requests' but no automated install step is declared; that's an inconsistency (the code depends on requests but the package metadata does not list it). No downloads from external/untrusted URLs are present.
Credentials: concernThe only runtime credential required is DUFFEL_TOKEN, which is appropriate for this skill. However the package metadata declares no required env variables or primary credential while the code and SKILL.md require DUFFEL_TOKEN — this is an important mismatch. Because DUFFEL_TOKEN can be a production token able to create real bookings and charge the linked account/wallet, the missing declaration reduces transparency and increases risk if you supply a live token without realizing it.
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills or system-wide settings. It writes a single file to /tmp/duffel-last-search.json to store last search results. Note: the skill can be invoked autonomously by the agent (default platform behavior); if given a live DUFFEL_TOKEN, an agent could perform searches and bookings on your behalf, so confirm agent invocation permissions before granting credentials.