Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
机票低价日历
v1.0.1机票低价日历助手,帮助时间弹性的用户找到最便宜的出发日期。输入出发地、目的地和弹性日期范围,自动扫描每天机票价格,生成可视化低价日历。当用户提到"哪天飞便宜"、"低价日历"、"机票价格比较"、"哪天出发划算"、"弹性日期"、"便宜机票"时使用。
⭐ 0· 81·0 current·0 all-time
byhello_hang@hello-ahang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill declares no required binaries or install spec, but SKILL.md repeatedly instructs installing and using a global CLI (npm install -g @fly-ai/flyai-cli) and running the flyai CLI commands. Requiring a third-party CLI is coherent with the skill's function, but the registry metadata does not declare this dependency—this mismatch is unexplained.
Instruction Scope
Runtime instructions tell the agent to read and write a local user file (~/.flyai/user-profile.md) and to try Qoder memory APIs (search_memory/update_memory). They also instruct adding NODE_TLS_REJECT_UNAUTHORIZED=0 to commands to bypass SSL verification. Reading/writing the home file and disabling TLS are outside a minimal 'search and present prices' scope without explicit user consent and are security sensitive.
Install Mechanism
There is no formal install spec, but SKILL.md requires a global npm install from the public registry. Installing an npm package is common but has moderate risk (code will be executed on the host). The skill suggests sudo/global install and registry changes, and does not provide package provenance or checksum—this omission increases risk.
Credentials
Declared requirements list no env vars or config paths, yet instructions rely on NODE_TLS_REJECT_UNAUTHORIZED (to be set to 0) and reading/writing ~/.flyai/user-profile.md. The skill also expects platform tools (search_memory/update_memory) if present. Asking to disable TLS verification and to access a home-path file are disproportionate to the stated purpose without clearer justification or explicit user opt-in.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It does instruct creating and updating ~/.flyai/user-profile.md (persisting user preferences). Persisting a local profile is reasonable, but it should be explicitly declared and permissioned; current instructions assume write access to the user's home directory.
What to consider before installing
Before installing or running this skill: (1) Confirm you are willing to install a third-party npm package (@fly-ai/flyai-cli). Review that package's source and reputation on npm/GitHub before global installation. (2) Do not run commands with NODE_TLS_REJECT_UNAUTHORIZED=0 unless you understand and accept the risk—this disables SSL/TLS validation and can expose you to man-in-the-middle attacks; ask the skill author why this is necessary and whether endpoints can be fixed. (3) The skill reads/writes ~/.flyai/user-profile.md; if you care about privacy, decide whether to allow local storage or to keep preferences ephemeral. (4) Verify whether the extracted jumpUrl links include affiliate/tracking parameters and confirm you are comfortable with the redirection behavior. (5) If possible, run the CLI in a sandbox or inspect network activity the first time you use it. If the author can provide an explicit install spec, signed release, and justification for the TLS bypass, re-evaluate; lacking that, proceed cautiously or treat as unreliable.Like a lobster shell, security has layers — review code before you run it.
latestvk977wmz3xnza24y7tzcad08vb1844q91
License
MIT-0
Free to use, modify, and redistribute. No attribution required.