Cabin Flights
WarnAudited by ClawScan on May 10, 2026.
Overview
The flight-search purpose is clear, but the skill includes an optional no-confirmation USDC payment command and references wallet scripts that are not included in the package.
Only install or use this skill if you are comfortable sending passenger details to Cabin's API and making real USDC payments. Do not let the agent pay automatically: verify the itinerary, passenger details, USDC amount, Base chain, and deposit address yourself, and prefer a dedicated low-balance wallet.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent with wallet capability follows this path too aggressively, it could send USDC to a booking deposit address and create an irreversible payment the user did not intend.
This is a high-impact crypto payment command, and the --yes flag can suppress an interactive confirmation; the skill does not clearly require explicit final user approval immediately before sending funds.
node src/send.js base USDC <deposit_address> <amount_usdc> --yes --json
Require an explicit final user confirmation for the exact flight, passenger names, amount, chain, token, and deposit address; avoid --yes by default and use wallet spending limits.
The command may fail, run an unintended local script, or rely on an unreviewed external wallet skill when handling real funds.
The skill references local Node helper scripts for wallet balance and payment, but the provided package is instruction-only and does not include those src files, making the code provenance unclear for a funds-moving workflow.
node src/balance.js base --json # Send USDC to deposit address node src/send.js base USDC <deposit_address> <amount_usdc> --yes --json
Declare and pin the wallet dependency or call a named, reviewed wallet tool instead of unqualified relative scripts; include clear provenance and user-approval requirements.
Connecting a wallet gives the agent potential access to view balances and initiate payments for travel purchases.
The skill may use delegated wallet authority to inspect balances and send USDC; that is purpose-aligned for crypto flight payment, but it is sensitive account authority.
If the agent has wallet capabilities (e.g., evm-wallet skill): # Check USDC balance on Base node src/balance.js base --json # Send USDC to deposit address
Use a dedicated low-balance wallet, set spending limits where possible, and require manual approval for every payment.