Skillv3.2.0

ClawScan security

volunteer-travel · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 27, 2026, 2:45 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior mostly matches a CLI-based travel booker, but it instructs the agent to globally install an unpinned npm package at runtime, contains a minor branding/name mismatch, and does not declare any required credentials the CLI might need — these gaps create supply-chain and privilege concerns that you should understand before installing.
Guidance: Before installing or enabling this skill: 1) Treat the runtime 'npm i -g @fly-ai/flyai-cli' instruction as a supply-chain decision — inspect the '@fly-ai/flyai-cli' package on the npm registry (owner, code, versions, last publish date) or prefer installing it yourself in a sandbox/container instead of letting the agent run a global install. 2) Ask the skill author or check a homepage (none provided) to clarify the Fliggy vs flyai naming and whether the CLI requires API keys; do not supply credentials until you confirm what's required and where they are stored. 3) If you must try it, run the CLI installation and executions in an isolated VM or container and review network traffic/permissions. 4) If you prefer lower risk, decline skills that perform unpinned global installs or that lack transparent upstream sources and documentation.
Findings: [no_code_files_to_scan] expected: The scanner found no code files because this is an instruction-only skill (SKILL.md + references). That is expected; lack of findings is not evidence of safety.

Review Dimensions

Purpose & Capability: noteThe name/description and SKILL.md consistently describe a flight/hotel/train booking helper that relies on a CLI (flyai) — this is coherent with the stated purpose. Minor inconsistency: description references 'Fliggy (Alibaba Group)' while the CLI/package name used is 'flyai' / '@fly-ai/flyai-cli' (different branding). That mismatch could be benign (marketing vs implementation) but it is unexplained.
Instruction Scope: noteInstructions are narrowly scoped to running the flyai CLI and formatting results; they do not instruct the agent to read unrelated files or environment variables. However, the SKILL.md mandates the agent must install and use the CLI (never use training data) and enforces all output come from the CLI, which gives this skill broad runtime authority to run networked CLI commands and to perform an npm global install if needed.
Install Mechanism: concernAlthough the registry has no formal install spec, the runtime instructions direct the agent to run 'npm i -g @fly-ai/flyai-cli' when flyai is missing. This is an unpinned global npm install performed at runtime with no integrity checks or version pinning — a moderate-to-high supply-chain risk. The package name does not obviously map to the 'Fliggy' brand claimed in the description.
Credentials: noteThe skill declares no required environment variables or credentials, which is plausible for an instruction-only wrapper. However, a booking CLI typically requires API keys, authentication, or payment details; absence of declared credentials is notable. If the flyai CLI requires tokens or user login, the skill does not document or request them explicitly, creating an unexplained gap.
Persistence & Privilege: concernalways:false and no code files are good, but the instruction to run a global 'npm i -g' will modify the host environment (global package installation) and may require elevated permissions on some systems. The skill does not request persistent configuration itself, but the runtime global install increases system privilege/surface area and should be treated cautiously.