qingming-flight
ReviewAudited by ClawScan on May 10, 2026.
Overview
The travel-booking workflow is coherent, but it tells the agent to automatically install an unpinned global npm CLI that is not declared in the install metadata.
Review before installing. If you use it, manually verify or install the `@fly-ai/flyai-cli` package yourself, preferably with a pinned version, and be aware that your route/date search details will be sent to the travel provider.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may modify the user's system and run code from an external npm package before it can search flights.
The skill directs the agent to fetch and globally install the latest npm CLI at runtime; the supplied install specs declare no install mechanism or pinned version, so the package code/provenance is outside the reviewed artifact set.
FAIL: `command not found` -> `npm i -g @fly-ai/flyai-cli`
Require explicit user approval before installation, declare the dependency in the install spec, pin the package version, and prefer a sandboxed or pre-reviewed CLI installation.
The agent may try CLI options that were not clearly declared, which could cause errors or broaden the CLI behavior beyond the documented table.
The skill attempts to constrain CLI usage but also includes at least one flag outside the main parameter table, making the command boundary less clear.
`NEVER invent CLI parameters. Only use parameters listed in the Parameters Table below.` ... `--journey-type 1 --sort-type 2`
Align the parameter table with every allowed flag/subcommand and use safe argument handling for user-supplied travel fields.
Travel plans such as origin, destination, and dates may be shared with the external travel provider as part of the intended search.
The workflow sends user-selected route and date information through the flyai/Fliggy travel service to retrieve real-time pricing and booking links.
`description: ... powered by Fliggy (Alibaba Group)` and `flyai search-flight --origin "{{o}}" --destination "{{d}}" --dep-date {{date}}`Use the skill only for travel details you are comfortable sending to the provider, and review the provider's privacy terms if the itinerary is sensitive.