Travel Companion
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: travel-companion Version: 1.0.5 The skill relies on executing remote code via `npx @aizzie/cli@latest`, which involves high-risk shell and network access. While this behavior is aligned with the stated purpose of travel planning through the aizzie.ai service, the use of unpinned remote packages in `SKILL.md` presents a significant supply-chain risk and potential for unauthorized execution if the package is compromised. No explicit malicious intent was found, but the capability is inherently risky.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may execute package code from npm that was not included in this review and may change over time as the latest package changes.
The skill instructs the agent to run an external npm CLI, including an unpinned @latest reference, while the reviewed artifact set contains no code or install spec for that CLI.
All commands use `npx @aizzie/cli@latest`. ## First Step — Always Run `npx @aizzie/cli docs` to load the full CLI reference and workflow.
Pin the CLI version, declare the executable dependency in install metadata, and require user confirmation before first running the npx command.
Trip details, destinations, companions, and itinerary information may remain available beyond the current conversation and may be accessible through shared links.
The skill stores travel plans outside the chat in a persistent, shareable, collaborative service.
**Persistent** — the trip plan lives at https://aizzie.ai. It survives beyond this conversation. The user can come back to it anytime. **Shareable** — travel companions get a link to view and co-edit the same plan.
Use the skill only for trip information you are comfortable storing at Aizzie, and review sharing settings or links before sending them to others.