一键抄作业
ReviewAudited by ClawScan on May 10, 2026.
Overview
This travel-planning skill is purpose-aligned, but it tells the agent to install/update an unpinned global FlyAI CLI and disable HTTPS certificate checks, so it should be reviewed before use.
Use this only if you are comfortable with FlyAI searches and saved travel preferences. Before running it, avoid sudo/global automatic installs, ask for a pinned reviewed FlyAI CLI version, and do not accept NODE_TLS_REJECT_UNAUTHORIZED=0 unless you understand the reduced HTTPS protection. No artifact evidence shows credential theft, destructive actions, or automatic booking.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Travel search details and booking links could be exposed or altered on an untrusted network, and the agent may trust tampered results.
This instructs the agent to run all FlyAI network commands with Node TLS certificate verification disabled, weakening protection against interception or tampering.
所有命令执行前需加 `NODE_TLS_REJECT_UNAUTHORIZED=0` 解决 SSL 证书验证问题
Do not disable TLS verification; require valid provider certificates, and run FlyAI commands only after the user understands the network/security tradeoff.
A global package install can change the local environment and execute code outside the reviewed skill artifacts.
Although the skill is presented as instruction-only with no install spec, it tells the agent to globally install or upgrade an unpinned latest npm package before use.
在执行任何搜索之前,必须先确保 FlyAI CLI 已安装且为最新版本。... `npm install -g @fly-ai/flyai-cli@latest --registry=https://registry.npmjs.org`
Declare the dependency in the install metadata, pin a reviewed version, avoid automatic upgrades, and ask the user before installing anything.
If run with admin/root privileges, the package install could modify system-wide files or settings.
The skill suggests using elevated privileges for a global CLI install, increasing the impact if the package or install path is unsafe.
权限不足 | 建议使用 `sudo npm install -g @fly-ai/flyai-cli@latest --registry=https://registry.npmjs.org`
Avoid sudo for this skill; use a per-user install, nvm, a sandbox/container, or a reviewed managed install path.
Future itinerary sessions may reuse saved personal travel details, and incorrect or stale saved data could influence recommendations.
The skill stores and later reuses a travel profile containing personal preferences such as city, budget, companions, and travel history.
优先尝试 Qoder Memory(search_memory / update_memory)... 降级使用本地文件 ... `~/.flyai/user-profile.md`
Save only preferences you are comfortable retaining, and periodically review or delete the Qoder memory entry or ~/.flyai/user-profile.md file.