Navifare - Flight Price Double-Check, Finds Hidden Deals
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your flight route, dates, times, passenger count, and reference price may be sent to Navifare to perform the comparison.
The skill discloses that flight itinerary and price details are sent to Navifare's hosted MCP server for comparison. This is purpose-aligned, but travel plans can still be sensitive.
**What is sent to the Navifare MCP server:** - Flight numbers, airlines, airports, dates, and times - Travel class and passenger count ... - A reference price and currency
Use the skill only with itinerary details you are comfortable sharing, and remove passenger names, booking references, passport details, and payment information from screenshots or text.
If you choose the local MCP option, your agent environment may run code fetched from npm, and future package changes could affect behavior.
The optional local installation runs an npm package without a pinned version. This is a disclosed, purpose-aligned setup path, but it relies on external package provenance.
"command": "npx", "args": ["-y", "navifare-mcp"]
Prefer the hosted MCP if acceptable, or review/pin the npm package version and verify the repository/package source before running the local MCP server.
If you use local mode, the MCP server can use your Gemini API key and associated quota for parsing flight requests.
Hosted use requires no credential, but the optional local MCP setup asks for a Gemini API key for request formatting. This is disclosed and related to the stated purpose.
"GEMINI_API_KEY": "your-gemini-api-key" ... Local installation requires a Google Gemini API key
Use a dedicated, limited-scope API key where possible, store it securely, monitor usage, and revoke it if you stop using the local MCP server.