Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Create Packing Lists — Trip Packing Checklist, Luggage Essentials, Travel Gear & What to Pack
v3.2.0Get a customized packing list based on your destination, season, trip type, and activities. Never forget essentials again. Also supports: flight booking, hot...
⭐ 0· 37·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description focus on packing lists and real-time booking links; requiring a live CLI (flyai) to fetch results is plausible. However the metadata has no source/homepage, and the description advertises broad booking capabilities beyond the simple packing-list playbooks, which is an area to confirm with the author.
Instruction Scope
SKILL.md forces the agent to install and call a third-party CLI and to never answer from training data; yet references/fallbacks.md allows using domain knowledge as a fallback in some cases — this is a contradiction. The runbook shows the agent may persist raw user_query and other logs to a local file (.flyai-execution-log.json) without declaring that file or asking permission, which could capture sensitive user input.
Install Mechanism
Installation is an npm global package (@fly-ai/flyai-cli). Scoped npm packages are common but have moderate risk because they execute arbitrary code from the npm registry. The skill metadata lacks a source/homepage to validate the package identity; that absence increases risk and should be verified before performing a global npm install.
Credentials
The skill doesn't request environment variables or credentials, which is proportionate. However, the runbook instructs writing an execution log including the raw user_query; this implicit local persistence is not declared and could capture credentials or personal data the user enters into queries.
Persistence & Privilege
always:false and normal autonomous invocation are fine. But the runbook's 'Log Persistence' step appends JSON to .flyai-execution-log.json if file writes are available — the skill thus requests the ability to create persistent files locally without declaring the path or asking for consent. That is a notable privilege and potential privacy risk.
What to consider before installing
Before installing or invoking: 1) Verify the @fly-ai/flyai-cli package source — inspect the npm package page and repository (do not blindly run npm i -g). 2) Avoid entering any sensitive personal data (passwords, passport numbers, payment details) into queries because the runbook shows raw queries may be written to a local log file. 3) Ask the skill author to clarify where logs are stored, for how long, and whether data is uploaded off-host. 4) If you must test, do so in a sandboxed environment or VM and use non-sensitive example queries. 5) Prefer skills that publish a homepage/repository and a privacy statement; if those are missing, treat the package as higher risk.Like a lobster shell, security has layers — review code before you run it.
latestvk97fdrm4gspy3zgg8zvqd5rbsh84ss0n
License
MIT-0
Free to use, modify, and redistribute. No attribution required.