Skillv1.0.0

ClawScan security

Air France Klm · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

SuspiciousApr 29, 2026, 5:03 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's name/description claims interactive booking and flight-check capabilities, but the shipped instructions are purely informational and there are no integrations, credentials, or install steps to support those features.
Guidance: This package appears to be a read-only, informational description of the Air France-KLM group rather than a tool that can actually manage bookings or check live flights. If you installed it expecting interactive features (booking lookup, flight status, PNR management), do not rely on it — it declares no API integration, no credentials, and contains no code. Ask the publisher for clarification or for an implementation that lists the required API endpoints, auth method (e.g., OAuth or API key), and any install steps. If you need a skill that manipulates bookings, only install one that explicitly documents the external services it calls and the exact credentials it requires. If you plan to use this skill solely for background research about Air France-KLM, it appears harmless but offers only static content.

Purpose & Capability: concernName/description promises 'Manage bookings' and 'check flights', but the skill has no code, no install steps, and requires no credentials or API keys. That functionality would normally require airline APIs, user PNRs, or OAuth tokens — none are declared. This is an incoherence between claimed purpose and actual delivery.
Instruction Scope: concernSKILL.md contains static company background, business model, and 'read_when' guidance for research use. It contains no runtime instructions for querying flight status, accessing bookings, or calling Air France/KLM APIs. It does not instruct the agent to read files or access environment variables.
Install Mechanism: okNo install spec and no code files are provided. That minimizes installation risk but also means the skill cannot perform external actions (e.g., manage bookings) as claimed.
Credentials: concernThe skill declares no required environment variables or credentials. For passive informational content this is fine; for booking management it is insufficient. The absence of credential requirements is disproportionate to the claimed interactive capabilities.
Persistence & Privilege: okSkill is user-invocable, not always-enabled, and allows normal model invocation. Nothing requests elevated or persistent system privileges.