ClawHub

Variflight

v1.0.1

Query flight information, train tickets, and travel data using Variflight (飞常准) HTTP API. Use when the user needs to (1) search flights by route or flight number, (2) check flight status and punctuality, (3) find train tickets, (4) get airport weather forecasts, (5) check flight prices, (6) plan multi-modal trips (flight+train), or (7) get flight comfort metrics (happiness index).

0· 1.1k·2 current·2 all-time
byVariflight@lyz1990
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's functionality (flight/train/weather queries) matches the included scripts and the Python wrapper which POSTs to https://ai.variflight.com/api/v1/mcp/data. However the registry metadata claims no required environment variables or primary credential, while the SKILL.md and the code clearly require VARIFLIGHT_API_KEY (and accept --api-key). This mismatch (no declared credential vs. code expecting an API key) is incoherent and should be fixed by the author.
Instruction Scope
Runtime instructions and scripts are narrowly scoped: they build JSON payloads and POST to the stated Variflight base URL. The wrapper looks for an API key via CLI arg, VARIFLIGHT_API_KEY env var, or a small set of config files (./.variflight.json, ~/.variflight.json, ~/.config/variflight/config.json) and a legacy OpenClaw path (~/.openclaw/workspace/.env.variflight). The code does not attempt arbitrary file collection or send data to unexpected endpoints, but it does read user config files (including the OpenClaw env file) to extract the API key.
Install Mechanism
There is no automated install spec in the registry (instruction-only). The README and SKILL.md suggest a git clone from github.com/variflight-ai/variflight-skill.git and copying scripts; included files are plain shell and Python using only standard libraries. No downloads from obscure URLs or archive extraction were observed in the package.
!
Credentials
The skill requires a single API credential (VARIFLIGHT_API_KEY) for the service it integrates with, which is reasonable. However the package metadata did not declare any required env vars or primary credential (contradiction). Additionally, the Python wrapper checks legacy OpenClaw env file (~/.openclaw/workspace/.env.variflight) and other config locations; while it only extracts VARIFLIGHT_API_KEY, reading that file could surface other environment data if the format differs. The absence of a declared primaryEnv in registry makes it unclear to the installer what secrets will be needed or where they will be read from.
Persistence & Privilege
The skill does not request permanent inclusion (always=false), does not modify other skills or system configs, and does not write persistent credentials to new locations. It only reads existing configuration files and environment variables to find an API key. Autonomous invocation is allowed by default but is not combined with other privilege-escalating behaviors.
What to consider before installing
What to check before installing: - Confirm the API key requirement: the code and SKILL.md require VARIFLIGHT_API_KEY, but the registry metadata lists none. Ask the publisher to update registry metadata (declare VARIFLIGHT_API_KEY as the primary credential). - Verify the source: SKILL.md suggests cloning from https://github.com/variflight-ai/variflight-skill.git and talks to https://ai.variflight.com. Confirm that those domains/repositories are official and trustworthy before providing any API key. - Inspect config files referenced (~/.variflight.json, ~/.config/variflight/config.json, ~/.openclaw/workspace/.env.variflight) to ensure they don't contain unrelated secrets. Prefer storing the Variflight key in a minimal-scope secret (CI secret store or a purpose-built config file) rather than broad shell rc files. - Run the scripts in a restricted environment (sandbox/VM/container) if you need to test them, and monitor network calls to confirm they only contact the expected host (ai.variflight.com). - If you need stronger assurance, request the maintainer to: (1) publish a homepage/source link in registry metadata, (2) explicitly declare required environment variables in the registry, and (3) provide a reproducible package (checked release on GitHub) so you can verify integrity. Why I labelled this suspicious: The functionality and code are coherent with the described purpose, but the registry metadata omission of the required API key and the code's reading of user config paths create an unexplained mismatch that should be resolved before trusting the skill with secrets.

Like a lobster shell, security has layers — review code before you run it.

latestvk9742azsk5a2rxmb0k51zyrjms80yskx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments