Track Flight
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent flight-tracking skill, but it uses an AviationStack API key over an HTTP API and asks for a manual Python dependency install.
Before installing, be aware that the free AviationStack setup uses HTTP rather than HTTPS and that the setup stores or exports an API key. Use a dedicated revocable key, consider an HTTPS-capable provider or plan if privacy matters, and install Python dependencies in an isolated environment when possible.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone able to observe the network path could see the AviationStack key and the flight number being queried.
The user's AviationStack API key is sent with the flight number to the provider over an HTTP endpoint. This is expected for the service, but the key is not protected by HTTPS in transit.
base_url = "http://api.aviationstack.com/v1/flights" ... params = { 'access_key': api_key, 'flight_iata': flight_number.upper() }Use a dedicated, low-privilege or easily revocable AviationStack key, monitor quota usage, and prefer an HTTPS-capable plan or alternative provider if confidentiality matters.
Installing packages directly into the current Python environment can change that environment and relies on the package source being trustworthy at install time.
The setup asks users to install an unpinned Python package manually. This is a normal dependency for the included script, but it is not locked to a specific reviewed version.
pip3 install requests
Install dependencies in a virtual environment where possible and use trusted package indexes or pinned versions if your environment requires reproducible installs.
The API key may remain on the machine longer than intended and may be accessible to programs launched from that shell environment.
The documentation suggests storing the API key in a shell profile so it persists across terminal sessions. This is user-directed setup, but it makes the credential available to future shell sessions and child processes.
echo "export AVIATIONSTACK_API_KEY='your-api-key-here'" >> ~/.zshrc source ~/.zshrc
Only make the key persistent if needed, avoid sharing shell profiles, remove the export line when no longer using the skill, and revoke the key if it may have been exposed.