本月轻松旅行盲盒
ReviewAudited by ClawScan on May 10, 2026.
Overview
The travel-planning behavior matches the stated purpose, but the skill may install an unpinned global FlyAI command-line tool during use, including a sudo fallback, so it should be reviewed before installation.
Before installing, decide whether you trust the FlyAI CLI. Prefer installing a pinned version yourself, do not allow sudo installs unless you fully trust the package, and remember that your city and travel plans may be sent to FlyAI to generate results.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A normal travel request could modify the user's local system by installing or updating a global npm package; if sudo is used, the package receives elevated installation privileges.
This directs the agent to install an external CLI globally at runtime, without a pinned version or explicit user-approval boundary, and suggests sudo if permissions fail.
在执行任何搜索之前,必须先确保 FlyAI CLI 已正确安装。... ❌ 未安装:执行安装流程 ... npm install -g @fly-ai/flyai-cli ... 建议使用 `sudo npm install -g @fly-ai/flyai-cli`
Require explicit user approval before any install, pin the FlyAI CLI version in a proper install spec, avoid sudo by default, and recommend manual installation from a trusted source.
City-level location and travel intent may be sent to FlyAI and possibly linked booking providers to produce recommendations.
The skill uses FlyAI provider searches to process the user's city, destination candidates, travel dates, and transport routes.
flyai ai-search --query "<城市名> 本月周末天气预报" ... flyai search-train --origin "<出发城市>" --destination "<目的地>" ... flyai search-flight --origin "<出发城市>" --destination "<目的地>"
Use only city-level locations rather than sensitive addresses, verify booking links before purchase, and review FlyAI's privacy terms if the itinerary is sensitive.