A simple Flight Tracker
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: flight-tracker Version: 1.1.0 The skill bundle is designed for flight tracking and scheduling, interacting with legitimate APIs (OpenSky Network and AviationStack). The `SKILL.md` provides clear instructions and examples without any evidence of prompt injection attempts to mislead the agent or perform unauthorized actions. The Python scripts (`schedule.py` and `track.py`) make network calls only to the documented flight APIs and `schedule.py` reads an environment variable (`AVIATIONSTACK_API_KEY`) solely for authentication to the stated API, which is a standard and expected practice. There is no indication of data exfiltration, malicious execution, persistence, or obfuscation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Flight search parameters such as route, date, callsign, or region may be sent to third-party aviation services.
The skill clearly discloses that it sends flight queries to external aviation APIs, which is expected for its stated purpose.
Track live flights in real-time by region, callsign, or airport using OpenSky Network... With API key: Fetches live schedule data
Use it for non-sensitive flight lookups and be aware that external providers will receive the query details.
Someone on the network path could potentially see or reuse the AviationStack API key and consume the account's request quota.
When AVIATIONSTACK_API_KEY is present, the script places the API key in a query string sent to an unencrypted HTTP endpoint, which can expose the credential in transit or logs.
base_url = "http://api.aviationstack.com/v1/flights" ... params = { 'access_key': api_key, 'dep_iata': origin, 'arr_iata': dest }Do not use an AviationStack API key with this skill until the endpoint is changed to HTTPS if supported; rotate the key if it was already used over HTTP.