A simple Flight Tracker
ReviewAudited by ClawScan on May 10, 2026.
Overview
The flight-tracking behavior is mostly as described, but the optional AviationStack API key is sent over an unencrypted HTTP request, so users should review it before use.
This skill appears to do flight tracking as advertised and does not show local persistence or file access, but avoid configuring AVIATIONSTACK_API_KEY unless the code is updated to use HTTPS for the AviationStack request.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Flight search parameters such as route, date, callsign, or region may be sent to third-party aviation services.
The skill clearly discloses that it sends flight queries to external aviation APIs, which is expected for its stated purpose.
Track live flights in real-time by region, callsign, or airport using OpenSky Network... With API key: Fetches live schedule data
Use it for non-sensitive flight lookups and be aware that external providers will receive the query details.
Someone on the network path could potentially see or reuse the AviationStack API key and consume the account's request quota.
When AVIATIONSTACK_API_KEY is present, the script places the API key in a query string sent to an unencrypted HTTP endpoint, which can expose the credential in transit or logs.
base_url = "http://api.aviationstack.com/v1/flights" ... params = { 'access_key': api_key, 'dep_iata': origin, 'arr_iata': dest }Do not use an AviationStack API key with this skill until the endpoint is changed to HTTPS if supported; rotate the key if it was already used over HTTP.