ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Amadeus Flight Query

v1.0.0

Query flight offers (price, schedule, availability) via Amadeus API. Use when user asks about flight/机票/航班 prices, schedules, or availability.

0· 783·2 current·2 all-time
by@kirorab
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name, description, required binaries (node), and the code all align with a flight-query integration for the Amadeus API. The requests the skill makes (Amadeus endpoints) are coherent with the stated purpose.
Instruction Scope
SKILL.md instructs running the provided node scripts and only references Amadeus endpoints. It also documents AMADEUS_BASE_URL for switching between test and production. The runtime instructions do not ask for unrelated system files or credentials beyond Amadeus, but the docs say 'hardcoded defaults are used' — and the code indeed contains default API credentials and defaults the base URL to a test endpoint.
Install Mechanism
No install spec is provided (instruction-only deployment). No third-party downloads or archive extraction occur; this minimizes install-time risk.
!
Credentials
The skill requires only AMADEUS_API_KEY and AMADEUS_API_SECRET which match the service. However: (1) the code also reads AMADEUS_BASE_URL (used for switching to production) but this variable is not listed in the declared required env vars — a documentation mismatch; (2) both scripts include hardcoded default API key and secret values and default to a test API base. Shipping credentials (even for a test environment) in-source is a security concern: they may be valid, reused, or abused by anyone with access to the skill bundle.
Persistence & Privilege
The skill does not request elevated persistence (always:false). It does not modify other skills or agent-wide configs. Autonomous invocation is allowed but not unusual and is not combined with any other high privilege.
What to consider before installing
This skill appears to legitimately call the Amadeus API, but take these precautions before installing or using it: - The scripts include hardcoded API key and secret defaults and default to Amadeus's test endpoint. Treat those embedded credentials as potentially sensitive (or potentially public test credentials). Remove or replace them with your own keys and never rely on the bundled defaults for production. - SKILL.md mentions AMADEUS_BASE_URL but that env var is not listed in the declared requirements — make sure to set AMADEUS_BASE_URL to https://api.amadeus.com for production if you want real data. Confirm any environment variables used by the code are intentionally set. - Review the two provided scripts (scripts/airports.mjs and scripts/query.mjs) yourself; they perform HTTP requests to Amadeus endpoints and will send whatever API key/secret they have access to. If you must keep these scripts, remove hardcoded secrets and ensure the runtime environment injects only the intended credentials. - Because the skill will make network calls, consider whether you trust the destination (Amadeus) and that network access is acceptable in your environment. Monitor usage and rotate keys if you install and use the skill. If you want the skill to be acceptable for production use: remove embedded credentials, update SKILL.md to declare AMADEUS_BASE_URL, and ensure the required env var list matches what the code reads.

Like a lobster shell, security has layers — review code before you run it.

latestvk97btv4dpngm3vsjbvg7ar4yzx81pcat

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

✈️ Clawdis
Binsnode
EnvAMADEUS_API_KEY, AMADEUS_API_SECRET

Comments