Variflight
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Variflight API key will be used by the local wrapper to authenticate requests to Variflight.
The script reads a local Variflight API key from environment/config sources and sends it as an authentication header to the Variflight API. This is expected for the integration, but it is still credential use.
paths = ['./.variflight.json', os.path.expanduser('~/.variflight.json'), os.path.expanduser('~/.config/variflight/config.json')]; headers={'X-VARIFLIGHT-KEY': api_key, 'Content-Type': 'application/json'}Use a scoped Variflight key if available, avoid pasting keys into shared command histories, and remove config files if you uninstall the skill.
You may not have registry-level assurance that the included scripts came from the claimed provider.
The registry metadata does not provide a verified source or homepage, while the skill documentation describes cloning or copying local scripts. This is not suspicious by itself, but users should verify provenance before trusting code with an API key.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Verify the repository or provider independently before installing, especially before adding an API key.
Using the skill runs local shell/Python wrapper scripts to make the API request.
The shell wrapper runs the included Python API client. Local execution is central to this skill’s stated purpose and the code is provided, but users should be aware it is not purely documentation.
python3 "$SCRIPT_DIR/variflight.py" "$@"
Review the included scripts and ensure Python 3 is available before use.