极限出发
WarnAudited by ClawScan on May 10, 2026.
Overview
The travel-planning purpose is coherent, but the skill tells the agent to auto-install an unpinned global CLI, suggests sudo, and disables TLS checks for searches.
Review this skill before installing. The travel-search behavior itself is coherent, but do not let it automatically run global or sudo npm installs, and avoid using the TLS-bypass command. If you use the profile feature, confirm what travel preferences are saved in memory or ~/.flyai/user-profile.md.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or upgrading a global npm package can run package code and change the user's local environment before the travel search starts.
The skill requires an unpinned '@latest' global npm install before any search, despite being presented as instruction-only with no install spec.
在执行任何搜索之前,**必须先执行安装命令**(无论是否已安装,确保为最新版本): npm install -g @fly-ai/flyai-cli@latest --registry=https://registry.npmjs.org
Declare the CLI dependency in the install spec, pin a reviewed version, avoid automatic upgrades, and require explicit user approval before installing.
If followed, the install step could run third-party package code with administrator-level privileges.
The workflow suggests using sudo for a global install of an unpinned package, which can give package installation scripts elevated privileges.
权限不足 | 建议使用 `sudo npm install -g @fly-ai/flyai-cli@latest --registry=https://registry.npmjs.org` 或使用 nvm 管理 Node
Do not use sudo for this skill by default; prefer a pinned local install, nvm-managed user permissions, or a sandboxed execution environment.
A network attacker or misconfigured proxy could potentially intercept or alter travel search data and returned booking URLs.
Disabling Node TLS certificate validation for FlyAI commands weakens transport security and can allow tampering with search results or booking links.
如果遇到 "SSL 证书验证失败" 错误,需要在命令前加上环境变量: NODE_TLS_REJECT_UNAUTHORIZED=0 flyai <command>
Fix the certificate trust problem instead of disabling TLS; if a temporary workaround is unavoidable, ask the user first and clearly explain the risk.
Travel preferences and personal trip context may be reused across sessions from memory or a local profile file.
The skill persistently reads and may save a travel profile containing preferences such as city, budget, companions, and special needs.
优先尝试 Qoder Memory(search_memory / update_memory)... 降级使用本地文件 ... ~/.flyai/user-profile.md
Review what is stored, confirm before saving new preferences, and treat profile content as user data rather than authoritative instructions.