Skillv1.0.1

ClawScan security

MoltFlights · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 11, 2026, 9:27 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's description, runtime instructions, and requirements are internally consistent: it only documents calls to the MoltFlights API, requests no credentials, and has no install steps or extra permissions.
Guidance: This skill appears coherent and low-risk: it simply documents calling moltflights.com GET endpoints and needs no credentials or installs. Before enabling it, consider: (1) the agent will send any flight queries (dates, origins, destinations) to the external MoltFlights service — if you consider those searches sensitive (travel plans), be aware they leave your environment; (2) example scripts parse HTML/JSON with command-line tools (curl/grep) — fragile but not malicious; (3) search results include external booking links which may redirect to third parties, so check links before following them; and (4) verify the MoltFlights site/privacy policy if you need assurance about how your queries are logged or used. If you require stronger guarantees, ask for a version that documents authentication, rate limits, or a privacy statement from the provider.

Purpose & Capability: okThe name/description (flight search, price alerts) aligns with the declared tools and examples: all operations are HTTP GETs against moltflights.com endpoints and examples show querying and parsing results. There are no unrelated env vars, binaries, or install actions requested.
Instruction Scope: okSKILL.md contains only API call descriptions, example curl commands, and simple local parsing examples (grep). It does not instruct the agent to read unrelated files, access credentials, or exfiltrate data to unexpected endpoints. The examples do show creating cron jobs and parsing responses, which are reasonable for price-alert use cases.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files. Nothing will be written to disk by an installer; the runtime surface is limited to HTTP requests to the stated API endpoints.
Credentials: okNo environment variables, credentials, or config paths are requested. The lack of required secrets is proportionate to the claimed public API usage. Note: searches and dates supplied by the user will be sent to the external MoltFlights API (expected for this service).
Persistence & Privilege: okalways is false and the skill does not request elevation or modify other skills/config. Autonomous invocation is allowed (platform default), which is expected for a skill that can perform queries, but the skill itself does not request persistent system privileges.