maldives-island-picker
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (unicode-control-chars); human review is required before treating this skill as clean.
This skill looks safe for normal travel planning. Before using it, be aware that it may run an external flyai CLI via npx, send travel criteria to web search/product services, and save a local report file. Do not include unnecessary sensitive personal information, and review the output filename before saving. ClawScan detected prompt-injection indicators (unicode-control-chars), so this skill requires review even though the model response was benign.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the product lookup may download or execute third-party CLI code from the npm ecosystem.
The skill runs an external npm-hosted CLI through npx to query travel products. This is disclosed and central to the product-lookup feature, but the external package version/provenance is not pinned in the artifacts.
npx @fly-ai/flyai-cli keyword-search --query "马尔代夫 {已验证的岛屿名} 酒店"Use the command only in a trusted environment, consider pinning or reviewing the package/version, and skip the flyai step if you do not want external CLI execution.
Travel preferences such as trip type, budget range, and desired island features may be included in external search queries.
The skill sends user-derived travel criteria to external search/fetch tools as part of generating recommendations. This is expected for the stated purpose and is clearly described.
使用 `web_search` 工具同时并行发起 3 轮搜索... 对信息最丰富的 1-2 个链接用 `web_fetch` 获取详细内容
Avoid sharing sensitive personal details beyond what is needed for travel recommendations.
A Markdown report containing the user’s travel preferences and recommendations will be saved locally and could overwrite a same-named file for the same date.
The skill creates a local report file by default. This is aligned with its report-generation purpose and is disclosed, but it is still a local file write.
默认使用 `create_file` 将报告保存到当前工作目录,文件名格式:`马尔代夫选岛报告-{日期}.md`Check the output filename/location before saving, especially if working in a shared or important directory.