Navifare - Flight Price Double-Check, Finds Hidden Deals
PassAudited by ClawScan on May 1, 2026.
Overview
This flight-price comparison skill is purpose-aligned, with the main things to notice being external sharing of itinerary details and an optional local npm/Gemini-key setup.
This skill appears safe to install if you are comfortable sending pre-booking flight details to Navifare for price comparison. Avoid sharing screenshots or text that contain passenger names, booking references, passport data, or payment information. If you use the optional local MCP setup, review the npm package source and protect the Gemini API key.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your flight route, dates, times, passenger count, and reference price may be sent to Navifare to perform the comparison.
The skill discloses that flight itinerary and price details are sent to Navifare's hosted MCP server for comparison. This is purpose-aligned, but travel plans can still be sensitive.
**What is sent to the Navifare MCP server:** - Flight numbers, airlines, airports, dates, and times - Travel class and passenger count ... - A reference price and currency
Use the skill only with itinerary details you are comfortable sharing, and remove passenger names, booking references, passport details, and payment information from screenshots or text.
If you choose the local MCP option, your agent environment may run code fetched from npm, and future package changes could affect behavior.
The optional local installation runs an npm package without a pinned version. This is a disclosed, purpose-aligned setup path, but it relies on external package provenance.
"command": "npx", "args": ["-y", "navifare-mcp"]
Prefer the hosted MCP if acceptable, or review/pin the npm package version and verify the repository/package source before running the local MCP server.
If you use local mode, the MCP server can use your Gemini API key and associated quota for parsing flight requests.
Hosted use requires no credential, but the optional local MCP setup asks for a Gemini API key for request formatting. This is disclosed and related to the stated purpose.
"GEMINI_API_KEY": "your-gemini-api-key" ... Local installation requires a Google Gemini API key
Use a dedicated, limited-scope API key where possible, store it securely, monitor usage, and revoke it if you stop using the local MCP server.