Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Aviasales Flight Search
v1.0.0Search for cheap flights and airfare via Travelpayouts/Aviasales API. Supports date-specific search, price calendar, round-trip, cheapest-price monitoring, p...
⭐ 0· 0·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description match the code and instructions: the skill queries Travelpayouts/Aviasales endpoints to search flights and lookup IATA codes. Requiring a Travelpayouts API token is appropriate for this purpose. However, the registry metadata declares no required environment variables while SKILL.md and the script explicitly require TRAVELPAYOUTS_TOKEN — the metadata omission is an inconsistency.
Instruction Scope
SKILL.md instructs the agent to call the included Python script and to set TRAVELPAYOUTS_TOKEN. The runtime steps are limited to: autocomplete lookup, prices_for_dates, grouped_prices, get_latest_prices, and fetching airlines data. The script only reads the token environment variable, writes a cache to /tmp/airlines_cache.json, and performs HTTP requests to Travelpayouts/autocomplete/Aviasales endpoints — all within the expected scope of a flight search skill.
Install Mechanism
This is instruction-only with an included Python script and no install spec. The script imports the third-party 'requests' library but the skill does not declare dependencies or provide an install step — users must ensure 'requests' is available. Lack of a declared install mechanism is not malicious by itself but is an operational shortcoming that can cause runtime failures.
Credentials
The script requires a TRAVELPAYOUTS_TOKEN (checked via os.environ) and uses it to call Travelpayouts endpoints. That single credential is proportionate to the stated purpose. The problem: the registry metadata does not list this required env var (it lists none), creating an inconsistency that could mislead users into providing the token in an unexpected way or deploying without realizing a secret is required. No other unrelated credentials or sensitive paths are requested.
Persistence & Privilege
The skill does not request persistent platform privileges (always:false) and does not modify other skills or system-wide settings. It writes a transient cache to /tmp/airlines_cache.json (24h TTL), which is normal for this use case.
What to consider before installing
This skill appears to be a legitimate Aviasales/Travelpayouts flight search tool, but there are practical concerns to resolve before installing: 1) The SKILL.md and script require TRAVELPAYOUTS_TOKEN, but the registry metadata does not declare any required environment variables — treat this as a red flag and confirm why the metadata is missing the token requirement. 2) The package has no install spec and the script depends on the Python 'requests' library; ensure the runtime has that dependency. 3) The script performs network calls to Travelpayouts/autocomplete/Aviasales and caches airline data to /tmp/airlines_cache.json — if you supply a token, make sure it has limited scope and is stored securely (not in a broadly readable file). 4) The source and homepage are unspecified; consider obtaining the skill from a known/trusted publisher or audit the included script yourself (it is present and readable) before providing API credentials. If you cannot verify the publisher, run the skill in a sandboxed environment and avoid reusing high-privilege tokens.Like a lobster shell, security has layers — review code before you run it.
latestvk9770bhr28xh3je7qmjp82hg9s84g4gd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.