ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Lap Airline Code Lookup Api

v1.0.0

Airline Code Lookup API skill. Use when working with Airline Code Lookup for reference-data. Covers 1 endpoint.

0· 118·1 current·1 all-time
by@mickmicksh

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for mickmicksh/lap-airline-code-lookup-api.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Lap Airline Code Lookup Api" (mickmicksh/lap-airline-code-lookup-api) from ClawHub.
Skill page: https://clawhub.ai/mickmicksh/lap-airline-code-lookup-api
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install lap-airline-code-lookup-api

ClawHub CLI

Package manager switcher

npx clawhub@latest install lap-airline-code-lookup-api
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, and the single endpoint (GET /reference-data/airlines) are consistent with an airline-code lookup helper. However the declared Base URL is a third-party API (https://test.api.amadeus.com/v1) while the SKILL.md states 'No authentication required' and the skill requests no credentials—Amadeus-style APIs commonly require API keys/OAuth. This mismatch is unexplained and could indicate the instructions are incomplete or outdated.
!
Instruction Scope
Instructions are generally narrow (call GET /reference-data/airlines, consult references/api-spec.lap). But SKILL.md references a local file (references/api-spec.lap) that is not present in the skill bundle, so the instructions expect resources that don't exist. The CLI examples (npx @lap-platform/lapsh ...) would cause npm to fetch packages if executed; while not malicious by itself, it is an action that may download and run external code. The instructions do not request or exfiltrate unrelated files or environment variables.
Install Mechanism
No install spec and no shipped code files — the skill is instruction-only. That minimizes installer risk because nothing in the package will be written to disk automatically. However the provided CLI examples use npx which would fetch code at runtime if an agent or user runs them.
Credentials
The skill declares no required environment variables or credentials. That is low privilege and would be appropriate for a public, unauthenticated API. However the chosen base URL is a third-party (Amadeus) test endpoint where authentication is commonly required; the lack of any auth/account variables is therefore unexpected and unexplained.
Persistence & Privilege
The skill does not request persistent privileges (always:false) and does not modify other skill or system configurations per the provided files. Default autonomous invocation is allowed but not combined with other privilege escalations here.
What to consider before installing
This appears to be a minimal, read-only API helper, but there are a few things to verify before installing or using it: - Confirm authentication requirements: try a manual curl to https://test.api.amadeus.com/v1/reference-data/airlines — if the API requires an API key or OAuth, the SKILL.md is incomplete and the skill will not work without adding credentials. Do not assume 'No authentication required' is correct. - Missing local spec: SKILL.md points to references/api-spec.lap, but that file is not included. Ask the author for the API spec or provide your own; without it the agent may not have parameter/response details it expects. - npx commands: the doc suggests using `npx @lap-platform/lapsh` which will download code from the npm registry when run. Only run that if you trust the package and review its source. Consider fetching the spec manually from the official API docs instead. - If you plan to allow autonomous agent use, be cautious: the skill can make network requests to an external API. If you must supply credentials to make it work, only provide least-privilege keys and verify the skill's implementation first. If you want a safer proceed: contact the skill author for the missing spec and clarification on auth, or run manual tests against the API endpoint before enabling this skill for agents.

Like a lobster shell, security has layers — review code before you run it.

latestvk9784w2w2wy8taq6psfq95120d8562z7
118downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
@mickmicksh
latest
Download

Airline Code Lookup API

API version: 1.2.1

Auth

No authentication required.

Base URL

https://test.api.amadeus.com/v1

Setup

  1. No auth setup needed
  2. GET /reference-data/airlines -- verify access

Endpoints

1 endpoints across 1 groups. See references/api-spec.lap for full details.

reference-data

MethodPathDescription
GET/reference-data/airlinesReturn airlines information.

Common Questions

Match user requests to endpoints in references/api-spec.lap. Key patterns:

  • "List all airlines?" -> GET /reference-data/airlines

Response Tips

  • Check response schemas in references/api-spec.lap for field details

CLI

# Update this spec to the latest version
npx @lap-platform/lapsh get airline-code-lookup-api -o references/api-spec.lap

# Search for related APIs
npx @lap-platform/lapsh search airline-code-lookup-api

References

  • Full spec: See references/api-spec.lap for complete endpoint details, parameter tables, and response schemas

Generated from the official API spec by LAP

Comments

Loading comments...