Back to skill
Skillv3.2.0
ClawScan security
red-flights · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 27, 2026, 2:43 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions mostly match a flight-search purpose, but it asks the agent to install and run an external npm CLI at runtime (including recommending sudo), and it writes execution logs to disk — behaviors that increase risk and deserve user verification before installing or running.
- Guidance
- Before enabling/using this skill: 1) Verify the authenticity of the flyai CLI package (@fly-ai/flyai-cli) on the npm registry and confirm it is the official client for the service the skill claims to use (the skill mentions 'Fliggy' but the CLI publisher is different). 2) Avoid automatic sudo/global installs — prefer manual inspection and installing in a sandbox or using a non-global/local install if possible. 3) Inspect the flyai-cli source or documentation (network endpoints, data sent) to ensure it doesn't exfiltrate sensitive data. 4) Be aware the skill will write an execution log file containing your queries; decide if storing that data locally is acceptable and where it will be written. 5) If you plan to complete bookings, confirm how authentication and payment are handled and whether any credentials will be required later. If you cannot verify the CLI/package provenance, treat this skill as untrusted.
Review Dimensions
- Purpose & Capability
- noteThe skill claims to search and book red-eye flights and directs the agent to use a dedicated CLI (flyai). That mapping is coherent: a flight-search skill would reasonably call an external flight-provider CLI. However, the description names 'Fliggy (Alibaba Group)' while the runtime CLI is '@fly-ai/flyai-cli' — that vendor/branding mismatch is unexplained and should be verified. No credentials are requested, which is consistent with read-only search operations, but booking flows may later require authentication that the skill does not describe.
- Instruction Scope
- concernThe SKILL.md forces all answers to come from the flyai CLI and prescribes installing the CLI if missing (including a sudo fallback). It also instructs creating a persistent execution log file (.flyai-execution-log.json) that contains raw user_query and CLI commands. These instructions cause the agent to perform network installs, may write potentially sensitive user input to disk, and instruct the agent to re-run commands until output meets formatting rules — increasing opportunity for repeated network activity. Although the file writes and CLI calls are within the skill's domain (flight search), they expand the skill's runtime footprint beyond simple ephemeral queries and should be highlighted to users.
- Install Mechanism
- concernThere is no formal install spec in the registry, but SKILL.md tells the agent to run 'npm i -g @fly-ai/flyai-cli' (and suggests using sudo if it fails). That is an instruction to download and install code from the public npm ecosystem at runtime. Installing a global npm package (especially with sudo) is higher risk because it executes third-party code on the host and may require elevated privileges. The skill provides no homepage, publisher reputation, or package verification guidance.
- Credentials
- noteThe skill requires no environment variables or explicit credentials, which is proportionate for read-only search. However, it logs raw requests and CLI responses in a local file; those logs may contain PII (origin/destination, dates, possibly passenger names if later used) and booking-related URLs. The skill also does not describe how booking (click-to-book) is authenticated or whether payment data is handled — gaps users should consider.
- Persistence & Privilege
- noteThe skill is not always-enabled and does not request elevated platform privileges in metadata. However, runtime instructions cause persistent changes: installing a global npm package and appending execution logs to .flyai-execution-log.json. These are modest persistence actions but do affect the host system and may require elevated permissions (sudo for global npm).