Back to skill
Skillv3.2.0
VirusTotal security
qingming-flight · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 24, 2026, 8:11 AM
- Hash
- eac74d2f25cf86a37cef3f6605d8dab0e59e50c168014029d64465ed51d477a9
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: qingming-flight Version: 3.2.0 The skill facilitates flight bookings via a CLI tool but contains instructions in SKILL.md and references/fallbacks.md for the agent to automatically install a global NPM package (@fly-ai/flyai-cli) if it is not found. This auto-installation of global dependencies represents a significant supply chain risk and a high-privilege operation (Remote Code Execution) on the host system. While the behavior appears aligned with the stated travel-booking purpose, the requirement for the agent to modify the system environment by fetching and executing remote code without explicit user confirmation is a risky capability.
- External report
- View on VirusTotal