Flight Search
v1.0.2Search flights, compare prices, and monitor airfare using Amadeus API
⭐ 0· 284·0 current·0 all-time
byMarco Rabelo@marcorabelo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md and included files clearly require Amadeus (AMADEUS_API_KEY and AMADEUS_API_SECRET) and optionally an AviationStack key — these credentials are appropriate for a flight-search skill. However the registry metadata at the top of the submission lists 'Required env vars: none' and 'Primary credential: none', which contradicts the SKILL.md frontmatter and the code. This mismatch between declared registry requirements and actual runtime requirements is concerning: it can mislead users about what secrets the skill needs.
Instruction Scope
SKILL.md instructs the agent/user to provide API keys, create a config.json (or use environment variables), and run provided Python and shell scripts. All referenced actions and files (search, monitor, check_status) are within the stated purpose (flight search, price monitoring, flight status). There are no instructions in SKILL.md to access unrelated system files or remote endpoints beyond the documented APIs.
Install Mechanism
There is no package/install spec (instruction-only at registry level), which is lower risk. However the bundle includes multiple executable files (Python clients and bash scripts). Because code is shipped with the skill, the agent or user may run scripts locally; that is expected but means the skill is not truly 'instruction-only' in practice. No external download URLs or obscure installers are present in the provided files.
Credentials
The environment variables requested in SKILL.md (AMADEUS_API_KEY, AMADEUS_API_SECRET, optional AVIATIONSTACK_API_KEY) are proportionate to the described functionality. The concern is the inconsistency: the registry metadata did not list required env vars while SKILL.md explicitly declares them. Also README/CONFIGURATION imply Python 3.7+ and the 'requests' library are needed, but these runtime requirements were not enumerated in the registry metadata.
Persistence & Privilege
The skill does include a monitoring feature that writes a local .monitored_flights.json and scripts that can be run repeatedly, but the skill is not marked always:true and does not request system-wide privileges. It does not attempt to modify other skills' configs. Autonomous invocation is allowed (platform default) but not combined with other high-risk indicators here.
Scan Findings in Context
[pre-scan-injection-signals] expected: No pre-scan injection signals were detected. The bundle contains Python and bash scripts; the changelog and SECURITY.md claim prior command-injection issues were fixed (removed eval, safe argv handling). The absence of regex flags aligns with the claim, but manual review before running is still recommended.
[registry-metadata-mismatch] unexpected: Registry metadata indicates no required env vars / no primary credential, but SKILL.md frontmatter and code explicitly require Amadeus credentials. This mismatch is not expected for this purpose and should be reconciled.
What to consider before installing
What to check before installing or running this skill:
1) Metadata mismatch: The SKILL.md and included code require AMADEUS_API_KEY and AMADEUS_API_SECRET (and optionally AVIATIONSTACK_API_KEY), but the registry metadata claims no required env vars. Treat the SKILL.md as authoritative for runtime needs — verify the registry entry / vendor before trusting it.
2) Review the shipped code locally before executing: The package contains Python clients and shell scripts that will be run to perform searches and monitoring. Inspect the scripts (scripts/*.sh) and Python files (lib/*.py) to ensure they won't run unexpected commands or contact unknown endpoints. Run them in an isolated environment (VM or container) if possible.
3) Secrets handling: Provide keys via environment variables or a local config.json that is kept out of version control. The project advises .gitignore for config.json — follow that. If you accidentally commit keys, rotate them immediately.
4) Runtime dependencies: The README indicates Python 3.7+ and the 'requests' library are required. The registry did not list these requirements; ensure your environment has the correct Python version and libraries.
5) Monitoring behavior: The monitoring feature writes a local .monitored_flights.json and expects periodic checks. There is no installer to schedule background tasks; if you enable monitoring, be aware of local files created and rate limits on your API quotas.
6) provenance and trust: The skill 'Source: unknown' and 'Homepage: none' — prefer skills with a known source or repository. If you plan to use production API keys, verify the maintainer and review the repository history.
7) Start in sandbox: Use Amadeus sandbox/test credentials first (as suggested) to validate behavior without impacting real quotas or incurring charges.
If you want, I can: (a) summarize places in the code that read/write files or network endpoints, (b) point to exact lines in the scripts to review, or (c) suggest a safe checklist/commands to run the scripts inside a container.Like a lobster shell, security has layers — review code before you run it.
latestvk979vkz6gwgb4jsy6xjkmsgcv5827c7q
License
MIT-0
Free to use, modify, and redistribute. No attribution required.