FlyWise — Student Flight Price API (留学生机票实时查询)
PassAudited by VirusTotal on May 6, 2026.
Overview
Type: OpenClaw Skill Name: flywise-flights Version: 1.0.0 The flywise-flights skill is a flight price monitor that uses a pay-per-query model (HTTP 402) to provide real-time data and historical trends via the flywise.win API. The workflow is transparently documented, requiring only standard flight search parameters (airport codes, dates) and interacting with a separate payment skill for transactions. There is no evidence of data exfiltration, malicious execution, or harmful prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may be asked to pay a small fee before receiving flight results.
The skill chains an external flight API request into a payment-service workflow. This is disclosed and purpose-aligned, but it is still a paid action.
把整个 402 响应报文...传递给支付宝的 alipay-pay-for-402-service 技能,引导用户完成付款(每次 0.03 元,单次扣款,无订阅)。
Confirm the user understands and approves each paid query, and avoid automatic retries that could create repeated payment prompts.
If the payment proof is exposed, someone else might be able to use that paid request or inspect payment-related metadata.
The Payment-Proof acts like a temporary credential authorizing the paid API result.
用户付款成功后会得到 `Payment-Proof` 凭证。将该凭证作为 HTTP Header 携带
Use the Payment-Proof only for the exact paid request, do not paste it elsewhere, and avoid verbose logging or displaying the header unnecessarily.
Users must trust the remote flywise.win service behavior because no server-side implementation is included for review.
The artifacts identify the service domain, but do not provide source-code provenance or a homepage for independent review.
Source: unknown; Homepage: none
Treat flywise.win as a third-party paid service and verify the domain and payment amount before using it.
Flight-search and payment-challenge details may be shared with the payment skill as part of completing the transaction.
The workflow passes a full payment challenge response from one service to another skill, creating an inter-service data flow.
把整个 402 响应报文(包括响应头与响应体)传递给支付宝的 alipay-pay-for-402-service 技能
Only pass the payment challenge needed for the transaction, and do not include unrelated user data in the request.