Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Track Flight
v1.0.0Track flights in real-time with detailed status, gate info, delays, and live position. Use when user asks to track a flight, check flight status, look up fli...
⭐ 0· 595·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The code and SKILL.md match the described purpose (tracking flights via AviationStack). However the registry metadata lists no required environment variables or primary credential while both the SKILL.md and scripts/track_flight.py require AVIATIONSTACK_API_KEY — a clear metadata omission. Also _meta.json lists owner 'copey02' while registry owner ID differs, which is a provenance inconsistency.
Instruction Scope
Runtime instructions are narrowly scoped to calling the AviationStack API and formatting results; the script only reads AVIATIONSTACK_API_KEY from the environment. However the SKILL.md explicitly notes the free tier is HTTP-only, meaning the instructions lead to sending the API key as a query parameter over non-encrypted HTTP — this is outside typical safety expectations for a networked integration and increases credential-exposure risk.
Install Mechanism
There is no install spec (instruction-only), and the SKILL.md tells users to pip3 install requests. The package includes a Python script but does not write or download additional artifacts. Lack of an install step is low-risk, but the presence of an executable script means users will run local code — review it (which we did) before running.
Credentials
The skill legitimately requires a single API key (AVIATIONSTACK_API_KEY) to function. That is proportionate for a flight-tracker. The problem is the required env var is not declared in the registry metadata (visibility/consent issue), and the key will be transmitted in cleartext over HTTP by default on the free plan — a high-risk handling of credentials.
Persistence & Privilege
The skill does not request elevated persistence or system-wide changes. always:false and normal invocation semantics apply. It does not attempt to modify other skills or system configs.
What to consider before installing
What to consider before installing:
- The script and docs require an AVIATIONSTACK_API_KEY but the registry metadata does not declare this — the skill will fail unless you set that env var. Treat that as a metadata omission and verify you are comfortable providing the key.
- The SKILL.md warns the free AviationStack tier is HTTP-only: the script sends your API key as a query parameter over plain HTTP, which can expose it on networks or to intermediaries. Prefer not to use this skill with your primary/long-lived API key on untrusted networks. If possible, use a paid AviationStack plan (HTTPS) or a proxy that upgrades to HTTPS.
- Verify the skill provenance: the _meta.json owner differs from the registry owner ID; confirm you trust the source or run the script in an isolated environment first.
- Before running, inspect the included scripts (you can run them in a sandbox) and avoid pasting your API key into shared shells or logs. Consider creating a limited/throwaway API key if the provider supports it.
Given the metadata omissions and the insecure transport of the API key, proceed only after you accept these risks or after the author fixes the metadata and the script is configured to use HTTPS endpoints.Like a lobster shell, security has layers — review code before you run it.
latestvk97c1r2ywmm2zwwc4pgjra6tzd81dxn4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.