v0.6.4

Korea Domestic Flights

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:41 AM.

Analysis

This flight-search skill is mostly purpose-aligned, but it depends on an unbundled local scraper from a tmp path and can persist recurring price-alert checks, so its setup should be reviewed before use.

GuidanceBefore installing, confirm you trust the local `tmp/Scraping-flight-information` scraper and its Playwright/browser dependencies. Expect the skill to run local Python scripts and to write `price-alert-rules.json` for monitoring. Do not enable cron, briefing, or scheduler integration unless you intentionally want recurring checks.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

SKILL.md

This skill wraps the local project clone at: `tmp/Scraping-flight-information` ... Main reused entry points: `scraping.searcher.FlightSearcher`, `scraping.parallel.ParallelSearcher`

The core flight-search implementation is delegated to a local project outside the provided artifact manifest, with no source URL, commit pin, or install spec shown.

User impactRunning searches requires trusting whatever code is present in that local clone; a different or compromised clone could change results or execute unintended local behavior.

RecommendationOnly use this skill with a known, audited clone of the upstream scraper, and prefer adding a pinned source/commit and explicit install requirements to the skill package.

Unexpected Code Execution

SeverityLowConfidenceHighStatusNote

scripts/chat_search.py

command = [sys.executable, str(SCRIPT_DIR / script_name), *extra_args]; return subprocess.call(command)

The chat wrapper executes local Python scripts as part of dispatching searches. This is purpose-aligned and uses argument lists rather than shell commands, but it is still local code execution.

User impactUsing the skill will run installed Python scripts on the local machine.

RecommendationInstall and run it only from a trusted skill directory, and review local scripts before invoking them in automated workflows.

Rogue Agents

SeverityLowConfidenceHighStatusNote

references/price-alerts-schema.md

가격 감시 기능은 기본적으로 `skills/korea-domestic-flights/price-alert-rules.json` 파일을 사용한다 ... 정기 점검 ... `python skills/korea-domestic-flights/scripts/price_alerts.py check`

The skill stores price-watch state locally and is designed to be run repeatedly by an external cron/briefing layer.

User impactTravel routes, dates, price targets, and last-check results can remain on disk and be checked repeatedly if the user schedules it.

RecommendationReview stored alert rules, remove stale ones, and only connect cron or Task Scheduler after confirming the schedule and command are intended.