ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Flights

v1.2.0

Search flights via Google Flights. Find nonstop/connecting flights, filter by time and cabin class, get booking links. Supports city names (NYC, London, Toky...

1· 2.5k·4 current·4 all-time
by@brennerspear
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to provide a bundled CLI at scripts/flights-search within the skill directory, but the package contains no code files—only SKILL.md. That is a direct mismatch between what the skill says it contains and what is present. Other capability claims (using Python + fast-flights to query Google Flights data) are plausible, but the missing bundled script is a substantive coherence problem.
!
Instruction Scope
Runtime instructions tell the agent/user to install an external tool (uv) via a remote installer (curl ... | sh), to use uvx to pull the fast-flights library, and to run a local scripts/flights-search CLI that does not actually exist in the skill bundle. The instructions do not ask for credentials or unrelated system data, but they do instruct running remote installers and fetching code at runtime and rely on a reverse‑engineered Google Flights protobuf API (which may have TOS/legal implications).
!
Install Mechanism
There is no formal install spec in the registry; instead SKILL.md recommends running an external shell installer from https://astral.sh (curl | sh) and relying on uvx to fetch the fast-flights package. Downloading and executing a remote install script is higher risk because it executes code fetched from an external server. The alternative pip install path (pip install fast-flights) is safer but still pulls third-party code at runtime.
Credentials
The skill declares no required environment variables, credentials, or config paths, and the instructions do not request additional secrets. There is no disproportionate credential access.
Persistence & Privilege
The skill does not request persistent or elevated privileges in the registry metadata (always:false). It is user-invocable and allows normal autonomous invocation (the platform default), but it does not declare any unusual persistence or cross-skill configuration changes.
What to consider before installing
Do not run remote installers or execute unfamiliar scripts without review. Specific issues to consider before installing or running this skill: - The SKILL.md says a scripts/flights-search CLI is bundled, but the published package contains no code—so the provided commands will likely fail or will cause you to fetch code from external sources at runtime. - The instructions recommend running a remote installer via curl | sh (astral.sh); that fetches and runs code from the internet and can execute arbitrary commands on your machine. Prefer installing known packages via your package manager or pip after inspecting their source. - The tool relies on a third‑party Python package (fast-flights) that uses a reverse‑engineered Google Flights protobuf API. That may work but could break, and could violate Google’s terms of service; review the fast-flights project source and its network behavior before using. - If you still want to try it: inspect the fast-flights repository and any install scripts (astral.sh/uv installer) manually, avoid piping unknown shells to sh, and prefer pip install fast-flights in a contained environment (virtualenv or container). If you need stronger assurance, ask the publisher for the missing scripts or a signed release and for clarity on why the CLI is not bundled in the package. Reason for confidence: medium — no code files were present to inspect, so the assessment relies on the SKILL.md text; concrete mismatches (missing bundled CLI + remote installer) make this suspicious but not definitively malicious.

Like a lobster shell, security has layers — review code before you run it.

latestvk97arjg757jk1ra45q1aaha04x81vxd8
2.5kdownloads
1stars
3versions
Updated 21h ago
v1.2.0
MIT-0
@brennerspear
latest
Download

Flight Search

Search real-time flight schedules and prices via Google Flights data.

Prerequisites

  • Python 3.9+
  • uv (recommended) — install with curl -LsSf https://astral.sh/uv/install.sh | sh

The flights-search CLI is bundled at scripts/flights-search in this skill directory.

The fast-flights library is installed automatically on first run via uvx (cached after that). Or install manually: pip install fast-flights

CLI Usage

uvx --with fast-flights python3 scripts/flights-search <origin> <destination> <date> [options]

Origin and destination accept IATA codes (JFK, LAX) or city names (NYC, London, Tokyo). City names automatically search all airports in that metro area.

Examples

# Search all NYC airports to LAX
flights-search NYC LAX 2026-03-15

# Nonstop flights from NYC to Berlin
flights-search NYC Berlin 2026-03-15 --nonstop

# Evening departures only
flights-search JFK LHR 2026-03-15 --after 17 --before 22

# Business class
flights-search NYC London 2026-03-15 --class business

# Multiple passengers with booking link
flights-search SF Tokyo 2026-04-01 --passengers 2 --link

Options

OptionDescription
--nonstopNonstop flights only
--all-stopsShow all flights regardless of stops
--after HHDepart after hour (24h format)
--before HHDepart before hour (24h format)
--classCabin: economy, premium, business, first
--passengers NNumber of travelers (default: 1)
--linkPrint Google Flights URL

Supported City Names

When you use a city name, the CLI searches all airports in that metro area:

CityAirports
NYC / New YorkJFK, EWR, LGA
LA / Los AngelesLAX, BUR, LGB, ONT, SNA
SF / San FranciscoSFO, OAK, SJC
ChicagoORD, MDW
DC / WashingtonDCA, IAD, BWI
LondonLHR, LGW, STN, LTN, LCY
ParisCDG, ORY
TokyoNRT, HND
TorontoYYZ, YTZ

60+ metro areas supported. Use any IATA code directly for airports not in the list.

Default Behavior

By default, the CLI shows only flights with the minimum stops available:

  • If nonstops exist → shows only nonstops
  • If no nonstops → shows only 1-stop flights
  • Use --all-stops to see everything

Output

Searching from NYC: JFK, EWR, LGA

Route        Depart                       Arrive                       Airline          Price       Duration
------------------------------------------------------------------------------------------------------------
EWR→LAX      6:00 AM on Sat, Mar 7        9:07 AM on Sat, Mar 7        United           $289        6 hr 7 min
EWR→LAX      12:00 PM on Sat, Mar 7       3:14 PM on Sat, Mar 7        United           $289        6 hr 14 min
JFK→LAX      8:00 AM on Sat, Mar 7        11:30 AM on Sat, Mar 7       Delta            $304        5 hr 30 min

3 flight(s) found.

Notes

  • Date format: YYYY-MM-DD
  • Airport codes: Standard IATA codes (JFK, LAX, LHR, etc.)
  • Prices are in USD
  • Times shown in local airport timezone
  • No API key required — uses Google Flights data via reverse-engineered protobuf API
  • Some routes may return price-only results (missing departure/arrival times) due to upstream parsing limitations

Data Source

Uses Google Flights data via the fast-flights Python package.

Comments

Loading comments...