ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Air France - KLM

v1.0.1

Track Air France flights using the Air France–KLM Open Data APIs (Flight Status). Use when the user gives a flight number/date (e.g., AF007 on 2026-01-29) and wants monitoring, alerts (delay/gate/aircraft changes), or analysis (previous-flight chain, aircraft tail number → cabin recency / Wi‑Fi). Also use when setting up or tuning polling schedules within API rate limits.

2· 2k·0 current·0 all-time
by@iclems
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and SKILL.md implement exactly what the description promises: calling the Air France–KLM Open Data Flight Status API, polling/watch logic, previous-flight chain handling, and optional aircraft enrichment via a public Planespotters endpoint. However, the registry metadata declares no required credentials while the runtime explicitly requires an AFKL API key (AFKL_API_KEY) and optional secret — this mismatch is unexpected and should be corrected or justified.
Instruction Scope
Runtime instructions are focused and specific: obtain an AFKL API key, provide it via env vars or files in a state dir, call api.airfranceklm.com, respect rate limits, write small caches under a state directory, and optionally enrich tail numbers via Planespotters. The scripts do not attempt to read arbitrary system files or other credentials beyond the declared state dir/env vars. The only minor scope note: the skill suggests storing credentials in plaintext files under the state dir (it recommends chmod 600), which is functional but has security implications.
Install Mechanism
There is no installer and no external downloads; this is instruction + included Node.js scripts. No third-party packages are fetched at install time. No remote install URLs or archive extraction are used.
!
Credentials
The skill requires an AFKL API key (AFKL_API_KEY) and optional AFKL_API_SECRET at runtime, but the registry metadata lists no required environment variables/primary credential — this is an inconsistency. The scripts also read CLAWDBOT_STATE_DIR or AFKL_STATE_DIR (or fall back to ./state) and may create cache/state files there; that file I/O is expected but the state-path fallback includes a hard-coded host path (/home/cwehrung/clawd/state) which is environment-specific and should not be assumed on other hosts. Overall, the requested secrets are proportional to the purpose, but the metadata omission and plaintext-file guidance merit attention.
Persistence & Privilege
The skill does not request persistent platform privileges (always:false). It writes caches and state files only under its state directory (user-configurable), which is normal for a watcher. It does not modify other skills or system-wide configs. Autonomous invocation is allowed by default (normal for skills) and not in itself flagged.
What to consider before installing
This skill appears to do what it says (poll AF/KLM Open Data and enrich tail numbers). Before installing: 1) Expect to supply a valid AFKL API key/secret — the skill needs AFKL_API_KEY (and optionally AFKL_API_SECRET) but the registry metadata does not declare this; confirm you’re comfortable providing that key. 2) Prefer environment variables over plaintext files; if you store credentials in files in the state dir, ensure correct permissions (chmod 600) and that the state dir is not shared or world-readable. 3) Review/override the state dir (set CLAWDBOT_STATE_DIR or AFKL_STATE_DIR) to avoid accidental use of host-specific paths (the code falls back to /home/cwehrung/clawd/state if it exists). 4) The scripts call only api.airfranceklm.com and a public Planespotters endpoint — if you require stricter network controls, run them in a constrained environment. 5) Ask the publisher to correct registry metadata to list AFKL_API_KEY / AFKL_API_SECRET as required credentials so the permissions are transparent. If you want a higher assurance level, request a signed publisher identity or run the code in an isolated environment first.

Like a lobster shell, security has layers — review code before you run it.

latestvk973wgy55c6b7m969yz9swfkkn8052yh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments