trade-fair
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s flight-search workflow is coherent, but it tells the agent to install and run an unpinned global npm command-line tool that is not declared in the install metadata.
Before installing, verify that you trust `@fly-ai/flyai-cli` and the flyai/Fliggy service. Do not let the agent run the global npm install unless you approve it, and avoid entering travel details you would not want shared with the provider.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill can lead the agent to download and install persistent third-party code on the user’s machine before performing searches.
The skill directs a runtime global npm installation of an unpinned package whose code is not included in the reviewed artifacts; the provided metadata also says there is no install spec or required binary.
If flyai-cli is not installed, install it first ... npm i -g @fly-ai/flyai-cli
Require explicit user approval before installation, declare the dependency in the install metadata, pin a trusted version, provide a homepage/provenance, and prefer a scoped local install when possible.
The agent will execute local commands to search flights, so malformed or unintended inputs could affect what command is run.
The skill is designed to run local shell commands with user-derived travel parameters. This is expected for real-time results, but it still requires command approval and parameter validation.
Step 2: Execute CLI Commands ... flyai search-flight --origin "{{o}}" --destination "{{d}}" --dep-date {{date}} --sort-type 2Review commands before execution and ensure user-supplied fields are validated and treated only as CLI arguments.
Your route, travel dates, and preferences may be shared with the flyai/Fliggy service to return results.
The intended workflow uses a provider-backed CLI to obtain real-time pricing, which means travel search details are sent outside the assistant.
powered by Fliggy (Alibaba Group) ... flyai search-flight --origin "{{o}}" --destination "{{d}}" --dep-date {{date}}Use the skill only for travel details you are comfortable sending to that provider, and review provider privacy and booking links before proceeding.