proposal-trip
AdvisoryAudited by VirusTotal on Apr 24, 2026.
Overview
Type: OpenClaw Skill Name: proposal-trip Version: 3.2.0 The skill bundle 'proposal-trip' requires the agent to perform a global installation of an NPM package (@fly-ai/flyai-cli) and execute shell commands to search for flights. While these actions are aligned with the stated purpose of providing real-time flight data via the Fliggy (Alibaba) service, the requirement for global environment modification and shell access constitutes a high-risk capability. No evidence of intentional malice, data exfiltration, or obfuscation was found in SKILL.md or the reference files.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent may modify the user's machine and run code from npm before providing travel results.
The skill requires fetching and installing an unpinned external npm package globally at runtime, while the provided install metadata does not declare a reviewed install mechanism.
Step 0: Environment Check (mandatory, never skip) ... `npm i -g @fly-ai/flyai-cli`
Require explicit user approval before installation, pin the CLI version, document package provenance, and prefer a sandboxed or declared install spec.
Malformed or adversarial input could cause unintended command behavior if the agent executes the template literally.
User-derived origin, destination, and date values are inserted into a shell-style command template, but the artifact does not require validation, escaping, or structured argv execution.
flyai search-flight --origin "{{o}}" --destination "{{d}}" --dep-date {{date}} --sort-type 2Validate dates and city fields, pass arguments through a structured command API instead of shell string interpolation, and ask before running local commands.
The user's trip intent and timing may be shared with the external travel provider.
The workflow sends route and travel-date information through the flyai/Fliggy CLI to obtain real-time booking results.
powered by Fliggy (Alibaba Group) ... `flyai search-flight --origin "{{o}}" --destination "{{d}}" --dep-date {{date}}`Use the skill only for travel details the user is comfortable sharing, and provide clear provider/privacy disclosure.