Skillv0.1.0

ClawScan security

Aviationstack Cli · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 14, 2026, 4:51 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions generally match a CLI wrapper for AviationStack, but the SKILL.md asks users/agents to download and run installers (including curl | bash) and implicitly requires an AviationStack API token and certain tools without declaring them — these mismatches are concerning.
Guidance: This skill appears to be a CLI helper for AviationStack but has some gaps and risky install steps. Before installing: 1) Verify the source repositories (Melvynx/aviationstack-cli and api2cli) on GitHub and inspect the code/release artifacts. 2) Do not run curl | bash (bun.sh) without reviewing the installer — prefer manual installation or an audited package. 3) Be aware you will need to supply an AviationStack API token; create a least-privilege key and confirm the skill only uses that token for the API. 4) Prefer installing/testing in an isolated environment (container or VM) if you must run the automated install steps. 5) Ask the skill author to update metadata to declare required binaries and the required API credential so the requirements match the instructions. These steps will reduce risk and make the skill's intent and requirements clear.

Review Dimensions

Purpose & Capability: concernThe name/description (AviationStack CLI) aligns with the commands shown. However the manifest declares no required binaries or credentials, while the SKILL.md expects npx, api2cli, and possibly bun, and it shows an auth step requiring a token. The skill should declare the API token and the runtime tools it actually needs.
Instruction Scope: concernThe runtime instructions are focused on installing and using the CLI, but they instruct the agent/user to run network installers and a shell install script (curl -fsSL https://bun.sh/install | bash). The doc does not declare or explain where the API token should come from, and it gives broad install instructions that download and execute code.
Install Mechanism: concernThere is no formal install spec in the metadata, but SKILL.md tells users to run npx api2cli install Melvynx/aviationstack-cli, npx api2cli bundle/link, and a curl|bash install for bun. Running curl|bash to install software and using npx to fetch code from registries are higher-risk actions and should be declared and justified in metadata.
Credentials: concernThe manifest states no required env vars or primary credential, but the instructions require running 'aviationstack-cli auth set "your-token"' (i.e., an API key). This is an omission — the skill implicitly needs an AviationStack API token but does not declare it in requires.env.
Persistence & Privilege: noteThe skill does not request always:true and is user-invocable (normal). The install/link steps will add binaries to the user's ~/.local/bin and may modify PATH for the user environment; that is a fairly standard local install behavior but should be noted.