Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Cabin Flights
v1.0.0Search and book real flights with USDC payments. Gives your AI agent the power to find flights across 500+ airlines and complete bookings paid in USDC on Base. No credit cards, no banks — crypto-native travel commerce.
⭐ 0· 1.3k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (flight search + USDC payments on Base) matches the SKILL.md: it calls an external API (https://api.cabin.team) to search, book, and provide a USDC deposit address/checkout URL. The only minor mismatch: SKILL.md metadata lists 'node' as a required binary and the doc references node scripts (src/balance.js, src/send.js) for wallet operations, yet this skill bundle contains no code files. Requiring node is plausible (for referenced wallet helpers) but unnecessary for an instruction-only skill as delivered.
Instruction Scope
Runtime instructions are limited to HTTP calls to api.cabin.team, fetching image_url, presenting results, collecting passenger details (names, DOB, email) required for booking, and showing payment info (deposit address or checkout URL). Collecting passenger PII is expected for bookings but is sensitive — the skill directs transmission of that PII to an external API and guides users to send crypto to the provided deposit address. It also references local node wallet scripts that are not present in the package; an agent attempting to run them will fail unless those scripts exist elsewhere.
Install Mechanism
No install spec is present (instruction-only skill). That minimizes on-disk persistence and installation risk.
Credentials
The skill declares no required environment variables or credentials, which is proportionate to an instruction-only connector that delegates calls to an external API. There are no unexplained requests for unrelated secrets. Note: the skill relies on an external API/service (cabin.team) to perform bookings and payments, so credentials for upstream providers (if required) would be handled by that service, not this skill bundle.
Persistence & Privilege
always is false and the skill does not request any elevated persistence. Agent-autonomous invocation is allowed by default (disable-model-invocation: false) — this is normal. Be particularly cautious if the agent has wallet capabilities or is granted signing/sending privileges, since the skill's workflow includes paying USDC to external deposit addresses.
Assessment
This skill appears to do what it says: call an external Cabin API to search/book flights and provide a USDC deposit address on Base. Before installing or using it: 1) Verify the external service (api.cabin.team, cabin.team, and the referenced GitHub repo) are legitimate — confirm ownership and reviews where possible. 2) Understand that booking requires sharing passenger PII (names, birthdates, emails) with that external API — only send what you're comfortable sharing and check the service's privacy/legal terms. 3) Never send large amounts of USDC to a deposit address without independently verifying the booking and the address (phishing risk). 4) The skill references node wallet scripts that are not included; if you enable wallet automation (evm-wallet or similar), restrict automatic payments and require explicit user confirmation before any transaction. 5) If you need higher assurance, ask the publisher for the missing node scripts or a public repo/manifest and confirm the smart-contract token address and payment flow off-platform before transacting. Overall: coherent and expected functionality, but treat crypto payments and PII with caution.Like a lobster shell, security has layers — review code before you run it.
latestvk977d498b7n5jfk7g4k4gn1vv180p2fh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
✈️ Clawdis
Binsnode