Skillv3.2.0

ClawScan security

travel-wallet · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 24, 2026, 7:38 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill claims broad travel capabilities but its runtime instructions only call an external npm CLI (flyai) for flight searches and ask the agent to install that CLI at runtime — this mismatch plus the unverified global npm install is concerning.
Guidance: This skill is inconsistent: it advertises many travel features (hotels, trains, Fliggy integration) but its instructions only call an external 'flyai' CLI for flight searches and instruct the agent to run `npm i -g @fly-ai/flyai-cli` if the CLI is missing. Installing a global, unpinned npm package from an unknown publisher can alter your system and is risky. Before installing or using this skill, do one or more of the following: 1) Verify the @fly-ai/flyai-cli package on npm/GitHub (owner, source code, recent activity, and trustworthiness); 2) Ask the skill author to explain/justify the Fliggy claim and provide documentation for hotel/booking flows (and whether any credentials will be required or captured); 3) Prefer a pinned package version and a non-global or sandboxed install; 4) Avoid installing on sensitive machines — test in an isolated environment; 5) If you need booking/payment features, require explicit details about how user credentials/payment data are handled. If the author cannot clarify these points, treat the skill as untrusted.

Review Dimensions

Purpose & Capability: concernThe description advertises flights, hotels, trains, attractions, visa info, insurance and more (and even claims 'powered by Fliggy'), but the SKILL.md only contains commands and playbooks for flight search via a 'flyai' CLI. Hotel/train/booking flows are not documented and there is no explanation of how Fliggy is involved. This overreach (advertised features not implemented in the instructions) is an inconsistency.
Instruction Scope: concernThe runtime instructions require the agent to always run the external 'flyai' CLI and, if missing, to install it. They instruct global npm installation and mandate that every answer be sourced from that CLI output (never from training data). The instructions do not read or exfiltrate local files, but they do give the agent permission to install and execute third-party code at runtime — a broader execution scope than the skill's description justifies.
Install Mechanism: concernThere is no registry install spec, yet SKILL.md directs runtime installation: `npm i -g @fly-ai/flyai-cli`. Installing an unpinned, third-party npm package globally is moderate-to-high risk: the package provenance is unknown, no version is pinned, and global installs modify the host environment. This is disproportionate without an official source or verification.
Credentials: noteThe skill does not request environment variables or credentials, which is appropriate for a read-only search tool. However, the description implies booking functionality (which often requires user credentials/payment) but provides no guidance or required credentials for safe booking flows. That omission is unexpected given the claimed capabilities.
Persistence & Privilege: okThe skill is not force-included (always:false) and does not request elevated persistent privileges in the manifest. The main privilege concern is the runtime global npm install (filesystem + network) that the skill instructs — this can require elevated rights on some systems but is not declared in metadata.