Variflight
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: variflight Version: 1.0.1 The OpenClaw AgentSkills skill bundle is benign. All shell scripts act as wrappers, safely passing arguments to the `variflight.py` Python script. The Python script correctly parses arguments, loads API keys from expected locations, and then securely serializes all user-provided parameters into a JSON body before making an HTTP POST request to a hardcoded, legitimate Variflight API endpoint (`https://ai.variflight.com/api/v1/mcp/data`) using `urllib.request`. There is no evidence of prompt injection in `SKILL.md` or `README.md`, no data exfiltration, no malicious execution (e.g., `eval`, `os.system`, `curl|bash`), and no attempts at persistence or obfuscation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Variflight API key will be used by the local wrapper to authenticate requests to Variflight.
The script reads a local Variflight API key from environment/config sources and sends it as an authentication header to the Variflight API. This is expected for the integration, but it is still credential use.
paths = ['./.variflight.json', os.path.expanduser('~/.variflight.json'), os.path.expanduser('~/.config/variflight/config.json')]; headers={'X-VARIFLIGHT-KEY': api_key, 'Content-Type': 'application/json'}Use a scoped Variflight key if available, avoid pasting keys into shared command histories, and remove config files if you uninstall the skill.
You may not have registry-level assurance that the included scripts came from the claimed provider.
The registry metadata does not provide a verified source or homepage, while the skill documentation describes cloning or copying local scripts. This is not suspicious by itself, but users should verify provenance before trusting code with an API key.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Verify the repository or provider independently before installing, especially before adding an API key.
Using the skill runs local shell/Python wrapper scripts to make the API request.
The shell wrapper runs the included Python API client. Local execution is central to this skill’s stated purpose and the code is provided, but users should be aware it is not purely documentation.
python3 "$SCRIPT_DIR/variflight.py" "$@"
Review the included scripts and ensure Python 3 is available before use.