v1.0.1

Jinko

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:21 AM.

Analysis

Jinko is a coherent travel CLI guide, but it enables authenticated trip and booking actions without visible explicit confirmation safeguards, so it should be reviewed before installation.

GuidanceInstall only if you trust the Jinko CLI package and intend to let the agent use your Jinko account. Treat search and price-check commands as lower risk, but require a clear final confirmation before any booking, cancellation, trip modification, or paid action.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceMediumStatusConcern

SKILL.md

a terminal tool for searching flights, discovering destinations, managing trips, and booking travel

Booking travel and managing trips can create paid or account-changing actions, but the visible guide does not add an explicit approval requirement before such high-impact actions.

User impactIf an authenticated agent uses booking or trip-management commands too freely, it could make or change travel plans with real cost or account impact.

RecommendationRequire explicit user confirmation of itinerary, passenger details, price, refund/change terms, and payment impact before any booking, cancellation, or trip-modifying command.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceMediumStatusNote

SKILL.md

"install":[{"type":"node","package":"@gojinko/cli","global":true}]

The skill depends on a globally installed npm CLI package. That is purpose-aligned, but users must trust the external package and its updates.

User impactA compromised or unexpected CLI package version could affect local command behavior or credential handling.

RecommendationInstall from a trusted npm source, consider pinning a known-good version where possible, and review package provenance before using it with travel-account credentials.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

SKILL.md

This opens your default browser, prompts you to sign in to your Jinko account, and stores the credentials locally.

The skill clearly discloses local Jinko account authentication, which is expected for the CLI but gives the tool access to a travel account.

User impactAnyone or any agent process able to use the stored credentials may be able to access Jinko account functions available through the CLI.

RecommendationUse the least-privileged authentication method available, avoid exposing API keys in command history or logs, and run `jinko auth logout` when access is no longer needed.