ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Google Flights Search

v1.0.2

Search real flight prices and schedules from Google Flights via SearchAPI.io. Use when a user asks to find flights, check prices, compare options, or search...

0· 391·0 current·0 all-time
byGal Dayan@galdayan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The script and SKILL.md both require a SEARCHAPI_KEY to call SearchAPI.io, which is appropriate for the stated purpose. However the registry metadata at the top of the package lists no required env vars/credentials — this is an inconsistency. The skill also insists results be scored by `flight-scoring` and saved by `flight-price-monitor`, which expands the effective capability beyond a simple search helper.
!
Instruction Scope
SKILL.md requires that results be piped through `flight-scoring` and ALWAYS saved via `flight-price-monitor` (automatic price tracking). That enforces persistent side-effects (saving/search-monitoring) and cross-skill invocation even if a user only requested a one-off search. The runtime instructions and script also log requests/responses to a logs directory in the workspace — responses may include booking tokens and booking URLs which could be persisted. The script reads only SEARCHAPI_KEY from the environment and calls SearchAPI.io and Google click-tracker endpoints; it does not appear to read unrelated system files, but the enforced cross-skill saving is scope creep and should be explicit to users.
Install Mechanism
No install spec is present and the code uses only Python stdlib; there are no downloads or extract/install steps. This is low-risk from an installation/execution-supply-chain perspective.
!
Credentials
Requesting SEARCHAPI_KEY is proportional to contacting SearchAPI.io; the code indeed fails if SEARCHAPI_KEY is not set. The package metadata, however, does not declare that env var which is an inconsistency. Additionally, the script appends the API key as a query parameter to outbound HTTPS requests (normal for some APIs) — this can expose the key in URLs or intermediaries if not carefully handled, and responses (which may contain booking tokens or booking_request data) are logged to a workspace logs path, potentially persisting sensitive tokens.
Persistence & Privilege
The skill is not marked always:true and does not modify other skills' configs. Nonetheless SKILL.md mandates saving every search via the `flight-price-monitor` skill, which will create persistent tracking activity and likely cause automated background behavior via that other skill. Installing this skill effectively opts you into persistent price-monitoring behavior (if the other skill is available/installed).
What to consider before installing
What to check before installing: - The package metadata omitted required environment variables; SKILL.md and the script require SEARCHAPI_KEY. Confirm the registry metadata or supply SEARCHAPI_KEY intentionally (only if you trust SearchAPI.io). - Be aware this skill enforces two automatic side effects: (1) it always pipes results through `flight-scoring`, and (2) it always saves searches via `flight-price-monitor` for automatic tracking — if you only want a one-off search, this behavior may be undesirable. Review/verify the other two skills before enabling. - The script logs request/response data under a workspace logs path (logs/skills/google-flights-search). These logs may include booking tokens or URLs; confirm where logs are stored and who can access them. - The API key is sent as a URL query parameter to SearchAPI.io. While the endpoint uses HTTPS, query parameters can appear in logs or referral headers; if this is a concern, ask the author whether an Authorization header is supported instead. - Verify SearchAPI.io's privacy/rate limits and trustworthiness before providing an API key. If you want stronger assurance, request that the author update package metadata to declare SEARCHAPI_KEY as a required env var and document exactly what `flight-scoring` and `flight-price-monitor` do with saved searches. If you want, I can: (a) extract the remaining parts of the script to check exactly what it logs and what it sends to the other skills; or (b) draft questions to ask the package owner to resolve the inconsistencies.

Like a lobster shell, security has layers — review code before you run it.

latestvk971hn573c258k19932qjhwm21824hp2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments