Skillv1.0.2

ClawScan security

Google Flights Search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 2, 2026, 9:48 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it says (search Google Flights via SearchAPI.io), but there are coherence problems and unexpected runtime behaviors (missing declared env var, mandatory forwarding to other skills, and local logging) that warrant caution before installing.
Guidance: What to check before installing: - The package metadata omitted required environment variables; SKILL.md and the script require SEARCHAPI_KEY. Confirm the registry metadata or supply SEARCHAPI_KEY intentionally (only if you trust SearchAPI.io). - Be aware this skill enforces two automatic side effects: (1) it always pipes results through `flight-scoring`, and (2) it always saves searches via `flight-price-monitor` for automatic tracking — if you only want a one-off search, this behavior may be undesirable. Review/verify the other two skills before enabling. - The script logs request/response data under a workspace logs path (logs/skills/google-flights-search). These logs may include booking tokens or URLs; confirm where logs are stored and who can access them. - The API key is sent as a URL query parameter to SearchAPI.io. While the endpoint uses HTTPS, query parameters can appear in logs or referral headers; if this is a concern, ask the author whether an Authorization header is supported instead. - Verify SearchAPI.io's privacy/rate limits and trustworthiness before providing an API key. If you want stronger assurance, request that the author update package metadata to declare SEARCHAPI_KEY as a required env var and document exactly what `flight-scoring` and `flight-price-monitor` do with saved searches. If you want, I can: (a) extract the remaining parts of the script to check exactly what it logs and what it sends to the other skills; or (b) draft questions to ask the package owner to resolve the inconsistencies.

Review Dimensions

Purpose & Capability: concernThe script and SKILL.md both require a SEARCHAPI_KEY to call SearchAPI.io, which is appropriate for the stated purpose. However the registry metadata at the top of the package lists no required env vars/credentials — this is an inconsistency. The skill also insists results be scored by `flight-scoring` and saved by `flight-price-monitor`, which expands the effective capability beyond a simple search helper.
Instruction Scope: concernSKILL.md requires that results be piped through `flight-scoring` and ALWAYS saved via `flight-price-monitor` (automatic price tracking). That enforces persistent side-effects (saving/search-monitoring) and cross-skill invocation even if a user only requested a one-off search. The runtime instructions and script also log requests/responses to a logs directory in the workspace — responses may include booking tokens and booking URLs which could be persisted. The script reads only SEARCHAPI_KEY from the environment and calls SearchAPI.io and Google click-tracker endpoints; it does not appear to read unrelated system files, but the enforced cross-skill saving is scope creep and should be explicit to users.
Install Mechanism: okNo install spec is present and the code uses only Python stdlib; there are no downloads or extract/install steps. This is low-risk from an installation/execution-supply-chain perspective.
Credentials: concernRequesting SEARCHAPI_KEY is proportional to contacting SearchAPI.io; the code indeed fails if SEARCHAPI_KEY is not set. The package metadata, however, does not declare that env var which is an inconsistency. Additionally, the script appends the API key as a query parameter to outbound HTTPS requests (normal for some APIs) — this can expose the key in URLs or intermediaries if not carefully handled, and responses (which may contain booking tokens or booking_request data) are logged to a workspace logs path, potentially persisting sensitive tokens.
Persistence & Privilege: noteThe skill is not marked always:true and does not modify other skills' configs. Nonetheless SKILL.md mandates saving every search via the `flight-price-monitor` skill, which will create persistent tracking activity and likely cause automated background behavior via that other skill. Installing this skill effectively opts you into persistent price-monitoring behavior (if the other skill is available/installed).