Google Flights Realtime API
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The visible artifacts describe a coherent RapidAPI flight-search helper, but it uses your RapidAPI key and may run curl/bash requests that can consume API quota.
This appears safe to install if you are comfortable giving the agent access to a RapidAPI key for flight searches. Monitor RapidAPI usage, keep the key protected, and ask the agent to limit or confirm large date-range scans before running them. The SKILL.md excerpt was truncated in the provided artifacts, so review the installed file if you need full assurance.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill must trust it with a RapidAPI key that may be tied to usage limits or billing.
The skill requires a RapidAPI key and sends it to the stated RapidAPI flight endpoint. This is expected for the integration, but the key represents account access and API quota.
The key should be configured as the `RAPIDAPI_KEY` environment variable... `x-rapidapi-key: <RAPIDAPI_KEY>`
Use a scoped RapidAPI key if available, monitor usage, and avoid sharing logs or transcripts that might reveal the key.
Large searches could hit rate limits or consume RapidAPI quota faster than expected.
Parallel expansion is aligned with searching many date combinations, but it can create many API calls quickly if the user gives a broad date range, destinations, or trip lengths.
When the user asks for a date range, generate a bash script that fires all curl requests in parallel using background processes... Expand ALL dimensions from the user's request
Ask the agent to confirm large date-range scans, limit destinations/dates/nights, and review expected request counts before running broad searches.
The agent may use local command execution rather than a more constrained built-in connector.
Although the package contains no code files, the runtime instructions rely on local shell commands and generated bash scripts to make API requests.
IMPORTANT: Always use `curl` to call the API... Example parallel date-range scan... `#!/bin/bash`
Review generated shell commands before execution, especially scripts for multi-date searches.
A user might assume the skill never causes local commands to run, even though the visible instructions include command-based API calls.
This is accurate in the sense that no code files are bundled, but it may understate that the visible SKILL.md instructions tell the agent to use curl and generate bash scripts at runtime.
**No code execution.** This skill contains only instructions for the AI agent — no scripts, no `eval`, no dynamic code execution.
Treat the skill as an instruction-only API helper that may still ask the agent to run shell commands.