Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Flight Tracker
v1.0.0Track flights in real-time with detailed status, gate info, delays, and live position. Use when user asks to track a flight, check flight status, look up flight information by flight number (e.g., "track AA100", "what's the status of United 2402", "check my flight BA123"), or wants to display flight data in a formatted view similar to Flighty app.
⭐ 0· 2.1k·5 current·6 all-time
by@copey02
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md and script clearly use the AviationStack API and require an AVIATIONSTACK_API_KEY; that is coherent with the stated purpose. However, the registry metadata lists no required environment variables or primary credential — an omission that is inconsistent with the skill's runtime requirements and should be corrected.
Instruction Scope
Runtime instructions are narrowly scoped to extracting a flight number, running scripts/track_flight.py, and presenting results; the script only reads the AVIATIONSTACK_API_KEY env var and calls the AviationStack endpoint. However, both SKILL.md and references explicitly state the free tier uses HTTP (no HTTPS) and the script uses http://api.aviationstack.com — this means your API key and requests would be transmitted in plaintext on the network, which is a security risk.
Install Mechanism
There is no install spec that downloads arbitrary code; the skill includes a small Python script and instructs installing the widely used 'requests' package via pip. This is low-risk compared with remote download/extract installers.
Credentials
Only one credential (AVIATIONSTACK_API_KEY) is needed, which is proportionate for the stated functionality — but the registry metadata fails to declare it (primaryEnv is none). That mismatch reduces transparency. Additionally, because the free-tier API uses HTTP, supplying the key exposes it to network interception.
Persistence & Privilege
The skill does not request permanent presence (always=false) and does not modify other skill or system configs. It runs as a simple script when invoked, so no elevated persistence or privileges are requested.
What to consider before installing
Summary and recommendations:
- What doesn't add up: the metadata does not declare the required AVIATIONSTACK_API_KEY, but both SKILL.md and scripts/track_flight.py require it. Ask the publisher to update the metadata to declare AVIATIONSTACK_API_KEY as the primary credential before installing.
- Transport risk: the script calls AviationStack over HTTP (http://api.aviationstack.com). On the free tier your API key and request data would be sent in plaintext and could be exposed on the network. If you must use this skill, prefer not to store the API key in persistent shell profiles; set it in the session only, or use a paid tier/alternative API that supports HTTPS.
- Code review: the included Python script is short and only reads the environment variable, calls the AviationStack API, and prints results — it does not appear to contact other endpoints or exfiltrate unrelated files. Still, run it in a sandbox or inspect it yourself before use.
- Alternatives: consider APIs that offer HTTPS on free tiers (OpenSky, or paid AviationStack tiers), or ask the developer to switch the script to HTTPS or proxy requests through a secure endpoint.
- Final advice: treat this as usable but imperfect — don’t add the API key to permanent shell startup files until you accept the plaintext-transport risk and confirm the metadata/manifest is corrected.Like a lobster shell, security has layers — review code before you run it.
latestvk97dzb0dgqpbjax5n812ygw9997zxe30
License
MIT-0
Free to use, modify, and redistribute. No attribution required.