summer-vacation-flight
ReviewAudited by ClawScan on May 10, 2026.
Overview
The flight-search purpose is coherent, but the skill tells the agent to install an unpinned global npm CLI at runtime without a declared install mechanism, so it should be reviewed before use.
Before using this skill, decide whether you trust the @fly-ai/flyai-cli package and ask the agent not to run `npm i -g` without your confirmation. Prefer a pinned or isolated install, provide only travel details you are comfortable sharing with the provider, and verify all booking links before paying.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A routine flight-search request could cause a global npm package to be installed and executed on the user's machine before results are returned.
The skill instructs the agent to install an unpinned third-party npm package globally at runtime if the CLI is missing. That is a persistent local-environment change and the package code is outside the reviewed artifacts.
Step 0: Environment Check (mandatory, never skip) ... `npm i -g @fly-ai/flyai-cli`
Require explicit user confirmation before installation, declare the CLI dependency in install metadata, pin the package version, and prefer an isolated installation environment.
The agent may try unsupported or unintended CLI options, leading to failed or confusing searches.
The main instructions define a strict parameter allowlist, but later examples use flags not listed in that table. This is more a scoping/reliability issue than evidence of malicious behavior.
`NEVER invent CLI parameters. Only use parameters listed in the Parameters Table below.` ... `--journey-type 1 --sort-type 2`
Align the parameter table and all playbooks, or explicitly mark additional supported flags before relying on them.
Travel search details may be shared with the flyai/Fliggy service, and booking links will take the user to an external provider.
The skill relies on an external provider/CLI for travel results, so route, date, and preference data are expected to be sent outside the local agent context.
`powered by Fliggy (Alibaba Group)` ... `Every piece of data MUST come from flyai CLI output.`
Only provide trip details you are comfortable sending to the provider, and verify booking links and prices before purchase.