Travel Information and News
Analysis
The skill is a coherent travel-search tool, but it relies on external search providers, API keys, optional browser automation, and user-installed dependencies that users should review before use.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
puppeteer.launch({
headless: true,
executablePath: "/usr/bin/chromium",
args: ["--no-sandbox", "--disable-gpu", "--disable-dev-shm-usage"],
});Optional browser scraping launches Chromium with the sandbox disabled, which is common in some automation setups but weakens browser isolation.
pip install requests fpdf2 python-docx ... npm install puppeteer
The setup instructions install unpinned packages and optional system/browser tooling, which is expected for this skill but leaves dependency versions to the installation environment.
urllib.request.urlretrieve(url, font_path)
When generating PDFs without a local CJK font, the script downloads a font from GitHub to /tmp for PDF rendering.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
TAVILY_API_KEY=your_tavily_key_here BRAVE_API_KEY=your_brave_key_here # Optional
The skill requires a Tavily API key and optionally a Brave API key, despite registry metadata declaring no required env vars or primary credential.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
requests.post(
"https://api.tavily.com/search"User search queries are sent to external search providers; Brave is also used when enabled.