Back to skill
Skillv1.0.1
ClawScan security
Flight Pricer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 17, 2026, 1:57 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and resource usage line up with a simple Duffel-based flight-pricing CLI; nothing in the package indicates unexplained access or hidden external endpoints.
- Guidance
- This package appears to do exactly what it claims: a small CLI that posts flight search requests to Duffel. Before installing, verify the source you obtained the code from (SKILL.md references a GitHub repo but registry 'Source' is unknown). Install inside a dedicated virtual environment as instructed. Be aware the Duffel API key is stored unencrypted at ~/.config/flight-pricer/config.yaml — check/limit file permissions or use a safer secret storage method if you prefer. Finally, inspect the code yourself if possible (it's small and readable) and only provide a Duffel API key you trust for use with this tool.
Review Dimensions
- Purpose & Capability
- okName/description match the implementation: the package implements a CLI that posts to Duffel's API to search offers. Declared dependencies (click, requests, pyyaml, tabulate) and the console entry point are appropriate for a CLI.
- Instruction Scope
- noteRuntime instructions are limited to creating/using a virtualenv, installing the package, and storing a Duffel API key in ~/.config/flight-pricer/config.yaml. The skill reads/writes only that config file and performs API calls to api.duffel.com, which is consistent with the stated purpose; note that the SKILL.md assumes cloning from a GitHub repo even though the registry metadata lists 'Source: unknown'.
- Install Mechanism
- okThere is no automated installer in the registry (instruction-only install). The README/SKILL.md recommend pip install -e into a venv (no external downloads or obscure URLs). This is a low-risk, conventional installation approach.
- Credentials
- noteThe skill requires a Duffel API key to operate but does not request unrelated credentials or environment variables. However, it stores the API key as plaintext YAML at ~/.config/flight-pricer/config.yaml (yaml.dump) — functional but not encrypted; users should consider file permissions or alternative secret storage if this is sensitive.
- Persistence & Privilege
- okThe skill does not request always:true, does not modify other skills or system-wide agent settings, and only creates its own config file under the user's home directory. Autonomous invocation is the default platform behavior and is not by itself problematic here.