Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
VariflightAviation
v1.0.4航班信息查询 Skill(飞常准官方 MCP)- 实时航班动态、航线搜索、舒适度评估、机场天气、中转规划、实时定位
⭐ 1· 811·3 current·3 all-time
byLance@lancenas·duplicate of @lancenas/variflight-aviation (1.0.4)·canonical: @lancenas/variflight-aviation-skill
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (flight data, MCP integration) match the code and SKILL.md. The skill only asks for a VariFlight API key (X_VARIFLIGHT_KEY or VARIFLIGHT_API_KEY) and uses Node/npx to run the @variflight-ai/variflight-mcp MCP server — all of which are coherent for its stated purpose.
Instruction Scope
SKILL.md instructs the user to provide an API key via config.local.json or X_VARIFLIGHT_KEY and to use npx to run @variflight-ai/variflight-mcp. The runtime instructions and code read the local config and environment and spawn an npx process, then communicate with that MCP over stdio. The skill requests network, env-read and file-read permissions which align with its behavior. Note: SKILL.md contained a prompt-injection detection (unicode-control-chars) — likely formatting but worth checking the raw file for hidden/control characters.
Install Mechanism
No install spec in registry, but the code dynamically invokes npx -y @variflight-ai/variflight-mcp at runtime (MCPServerManager and Stdio transport). This means the remote npm package will be downloaded and executed on first run — expected for an MCP-style skill but higher-risk than pure instruction-only skills. The package comes from the npm registry (no arbitrary URL downloads observed).
Credentials
Only the VariFlight API key (X_VARIFLIGHT_KEY / VARIFLIGHT_API_KEY) is required and is justified by the skill's interactions with VariFlight's MCP. The skill reads config.local.json if present and process.env; it does not request unrelated credentials or system secrets in the manifest.
Persistence & Privilege
The skill is user-invocable, not always-enabled, and does not request elevated persistence or modify other skills. It spawns subprocesses (npx) but does not alter system-wide agent configuration beyond using local config/env as expected.
Scan Findings in Context
[unicode-control-chars] unexpected: The pre-scan detected unicode control characters in SKILL.md. This is not necessary for the skill's functionality and could be accidental formatting or an attempt to obfuscate text. Inspect the SKILL.md raw content to confirm there are no hidden instructions or invisible characters.
Assessment
This skill appears to do what it claims (a VariFlight MCP client). Before installing or running it: 1) Verify the npm package @variflight-ai/variflight-mcp on the npm registry (author, version history, and recent releases) because the skill dynamically downloads and executes that package via npx. 2) Inspect SKILL.md and included source for any unexpected hidden characters (pre-scan found unicode control chars). 3) Provide an API key only from the official VariFlight site (https://ai.variflight.com/keys) and be aware the key will be passed to the child MCP process — that process will contact VariFlight servers (expected for functionality). 4) If you need stronger assurance, pre-install and audit @variflight-ai/variflight-mcp locally and pin a known-good version, or run the skill in an isolated environment. 5) If you operate in a sensitive environment, review network egress logs and the MCP package source before granting network access.src/lib/mcp-server-manager.js:17
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97651wrggt1zqy0fyrkep93zh838gkm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
✈️ Clawdis
OSmacOS · Linux · Windows
Environment variables
X_VARIFLIGHT_KEYrequired