Flight Search
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a normal flight search and price monitoring skill, but it requires travel API keys and can keep a local list of monitored routes for recurring checks.
Before installing, make sure you are comfortable providing Amadeus credentials, optionally AviationStack credentials, and storing monitored flight routes locally. Use sandbox mode first, protect config.json, monitor API usage, and disable or clear price monitoring when you no longer need it.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You must provide API keys, and searches or status checks may consume your Amadeus or AviationStack quota.
The skill requires third-party API credentials for its core function. This is purpose-aligned and disclosed, but users are delegating access to provider accounts and quotas.
credentials: required: - name: AMADEUS_API_KEY ... - name: AMADEUS_API_SECRET ... optional: - name: AVIATIONSTACK_API_KEY
Use dedicated API keys, start in sandbox mode, monitor provider usage, and do not commit config.json or share it.
Setup may fail until Python and requests are available, and any manual dependency installation should come from trusted sources.
The registry/install section does not declare required binaries or an install spec, while the README documents a Python dependency. No hidden install behavior is shown, but users may need to install dependencies manually.
Requirements: - Python 3.7+ - `requests` library - Amadeus API credentials
Install dependencies only from trusted package sources and consider pinning versions in your own environment.
Local files may reveal where and when you plan to travel if the workspace is shared or backed up.
Price monitoring stores route, date, price, and alert history in a persistent local JSON file. This is expected for monitoring, but it records personal travel plans.
cat .monitored_flights.json ... "origin": "CNF", "destination": "BKK", "departure_date": "2026-12-15", "last_price": 4720.00
Keep the workspace private, avoid sharing .monitored_flights.json, and delete monitored routes when no longer needed.
Recurring checks can consume API quota and may continue tracking routes longer than intended.
The documentation describes recurring price checks through a heartbeat workflow. This is purpose-aligned for airfare alerts, but it can continue making API calls until the user disables monitoring.
Checks periodically (every 6 hours) ... Add to your `HEARTBEAT.md`
Enable monitoring only for routes you care about, limit the number of monitored routes, and remove HEARTBEAT entries or monitored routes when finished.