Back to skill
Skillv1.0.0
ClawScan security
Track Flight · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 18, 2026, 9:32 PM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill appears to implement a flight tracker that matches its description, but the package metadata omits the required AVIATIONSTACK_API_KEY, the skill instructs use of AviationStack's free (HTTP-only) endpoint which would send your API key in cleartext, and there are provenance/metadata inconsistencies you should review before installing.
- Guidance
- What to consider before installing: - The script and docs require an AVIATIONSTACK_API_KEY but the registry metadata does not declare this — the skill will fail unless you set that env var. Treat that as a metadata omission and verify you are comfortable providing the key. - The SKILL.md warns the free AviationStack tier is HTTP-only: the script sends your API key as a query parameter over plain HTTP, which can expose it on networks or to intermediaries. Prefer not to use this skill with your primary/long-lived API key on untrusted networks. If possible, use a paid AviationStack plan (HTTPS) or a proxy that upgrades to HTTPS. - Verify the skill provenance: the _meta.json owner differs from the registry owner ID; confirm you trust the source or run the script in an isolated environment first. - Before running, inspect the included scripts (you can run them in a sandbox) and avoid pasting your API key into shared shells or logs. Consider creating a limited/throwaway API key if the provider supports it. Given the metadata omissions and the insecure transport of the API key, proceed only after you accept these risks or after the author fixes the metadata and the script is configured to use HTTPS endpoints.
Review Dimensions
- Purpose & Capability
- concernThe code and SKILL.md match the described purpose (tracking flights via AviationStack). However the registry metadata lists no required environment variables or primary credential while both the SKILL.md and scripts/track_flight.py require AVIATIONSTACK_API_KEY — a clear metadata omission. Also _meta.json lists owner 'copey02' while registry owner ID differs, which is a provenance inconsistency.
- Instruction Scope
- concernRuntime instructions are narrowly scoped to calling the AviationStack API and formatting results; the script only reads AVIATIONSTACK_API_KEY from the environment. However the SKILL.md explicitly notes the free tier is HTTP-only, meaning the instructions lead to sending the API key as a query parameter over non-encrypted HTTP — this is outside typical safety expectations for a networked integration and increases credential-exposure risk.
- Install Mechanism
- noteThere is no install spec (instruction-only), and the SKILL.md tells users to pip3 install requests. The package includes a Python script but does not write or download additional artifacts. Lack of an install step is low-risk, but the presence of an executable script means users will run local code — review it (which we did) before running.
- Credentials
- concernThe skill legitimately requires a single API key (AVIATIONSTACK_API_KEY) to function. That is proportionate for a flight-tracker. The problem is the required env var is not declared in the registry metadata (visibility/consent issue), and the key will be transmitted in cleartext over HTTP by default on the free plan — a high-risk handling of credentials.
- Persistence & Privilege
- okThe skill does not request elevated persistence or system-wide changes. always:false and normal invocation semantics apply. It does not attempt to modify other skills or system configs.