rollinggo-flight-search-skill
PassAudited by ClawScan on May 12, 2026.
Overview
This is a coherent flight-search skill, but users should understand it runs an external RollingGo CLI, uses a RollingGo API key, and prefers unpinned latest-version installs.
Before installing, make sure you trust RollingGo and its CLI package. Store `ROLLINGGO_API_KEY` using per-skill environment injection, avoid command-line key exposure where possible, and be cautious with the optional remote installer or unpinned `@latest` execution in higher-security environments.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your RollingGo API key may be used by the CLI to authenticate flight searches, and command-line flags can be more exposed to shell history or process listings than managed environment injection.
The skill needs a provider API key and may pass it as a command-line flag or environment variable. This is expected for the RollingGo service, but it is still credential-bearing access.
Resolution order: `--api-key` flag → `ROLLINGGO_API_KEY` env var.
Prefer per-skill environment injection for `ROLLINGGO_API_KEY`; avoid pasting real keys into prompts, logs, or command examples.
A future RollingGo package release could change what code runs when the agent performs a search.
The skill intentionally uses the latest external CLI package at runtime, so behavior can change after this skill version is installed or reviewed.
Default policy for this skill: use the newest release on every run. - **npm/npx:** `npx --yes rollinggo-flight@latest ...`
Use this only if you trust the RollingGo package source; consider pinning a known-good CLI version in controlled environments.
If you choose the standalone installer, code downloaded from GitHub will run on your machine.
The optional standalone install path executes a remote shell script. It is documented as setup, not hidden runtime behavior, but it requires trust in the remote source.
curl -fsSL https://raw.githubusercontent.com/RollingGo-AI/rollinggo-flight-cli/main/scripts/install.sh | sh
Use package-manager installation where possible, or review/download the installer script before running it.
If configured host-wide, more tools or skills may be able to access the RollingGo API key than necessary.
The reference explains both per-skill and host-wide API key injection. It recommends per-skill injection, but host-wide configuration would expose the key more broadly.
Per-skill (recommended) ... `"env": { "ROLLINGGO_API_KEY": "YOUR_KEY" }` ... Host-wide ... `{ "env": { "ROLLINGGO_API_KEY": "YOUR_KEY" } }`Use the per-skill configuration unless you intentionally need the same key available to multiple trusted skills.