Back to skill
Skillv1.0.0
ClawScan security
SerpApi Flights (Google Flights) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 23, 2026, 7:21 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required environment variable (SERPAPI_KEY) align with its stated purpose of querying Google Flights via SerpApi; nothing in the files suggests unrelated access or covert exfiltration.
- Guidance
- This skill appears coherent and limited to calling SerpApi. Before installing: (1) Treat SERPAPI_KEY as a secret — the script sends it in the query string to serpapi.com; do not share keys in public prompts. (2) Confirm you trust SerpApi and understand its billing/rate limits (free tier ~100 searches/month). (3) Ensure your node version supports global fetch and node:util parseArgs (Node 18+ recommended). (4) Review the included script yourself if you want to confirm no additional logging of sensitive context; the code prints query info and results to the console. (5) If you need tighter security, run the script in a restricted environment and rotate the API key if it is exposed.
Review Dimensions
- Purpose & Capability
- okName/description say 'query Google Flights via SerpApi'; the skill requires node and a SERPAPI_KEY and contains a Node script that calls https://serpapi.com/search.json. All requested resources are appropriate for that purpose.
- Instruction Scope
- okSKILL.md only instructs setting SERPAPI_KEY and running the included Node script with origin/destination/date options. The script only reads the API key (and an alternative env var), builds a SerpApi URL, and prints results — it does not read arbitrary user files or call other endpoints.
- Install Mechanism
- okThere is no install spec (instruction-only + single script). The only runtime requirement is the 'node' binary, which is declared. No downloads or archive extraction are present.
- Credentials
- okThe only required environment variable is SERPAPI_KEY (with a fallback name SERPAPI_API_KEY used in code). That single API key is proportional and expected for a third-party search API client.
- Persistence & Privilege
- okSkill is user-invocable, not always: true, and does not request persistent system-level privileges or modify other skills/config. It does not attempt to persist credentials beyond reading the provided env var.