Skillv3.1.0

ClawScan security

Auto Rental · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 12, 2026, 6:20 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions largely match a car-rental search tool, but there are multiple mismatches and operational risks (unverified npm package install, undeclared authentication, and file writes) that make its behavior unclear and warrant caution.
Guidance: Before installing or using this skill: 1) Verify the legitimacy of the @fly-ai/flyai-cli npm package (publisher, npm page, GitHub repo) and confirm whether it is actually affiliated with Fliggy/Alibaba as claimed. 2) Prefer to manually install the CLI in a sandbox or VM first; global npm installs run arbitrary code and may require sudo. 3) Ask the skill author how authentication works (what credentials are needed and where they are stored) — the skill does not declare any required env vars or auth flow. 4) Confirm what the CLI sends and what the runbook log contains; the skill may write .flyai-execution-log.json with user queries and CLI outputs (possible PII). 5) If you do allow the agent to run this skill, disable autonomous installation or require manual approval for npm installs and file writes. 6) If unsure, request the skill author to provide package provenance, an explicit auth mechanism, and an opt-out for persistent logging; absent those clarifications, treat the skill as untrusted.

Review Dimensions

Purpose & Capability: concernThe skill claims to be powered by Fliggy (Alibaba Group) and to support a broad set of travel services, but the runtime instructions require a third-party CLI called @fly-ai/flyai-cli; no relationship or authentication details for Fliggy/flyai are provided. The SKILL.md scope is focused on car rental (consistent) but the description and brand claims are inconsistent with the requested tooling.
Instruction Scope: concernThe SKILL.md forces the agent to fetch all data from the flyai CLI and to never use training data. The runbook includes an instruction to append execution logs to .flyai-execution-log.json if writes are available, which means the skill will persist user queries and CLI command details to disk. The instructions do not declare how flyai authenticates or whether CLI calls or logs may contain PII or credentials.
Install Mechanism: noteNo binary is required by the registry metadata, but the instructions mandate globally installing an npm package (npm i -g @fly-ai/flyai-cli). npm global installs are moderate-risk (they run third-party code on the host). There is no install spec in the registry metadata and no provenance or official URL for the package is provided, which increases uncertainty.
Credentials: concernThe skill declares no required environment variables or credentials, yet depends on a third-party CLI that likely requires authentication to fetch real-time pricing. The SKILL.md never explains how to authenticate (API key, login flow, or token storage). The runbook/logging behavior could cause sensitive user data or query contents to be written to disk. This mismatch (tool requiring secrets but none declared) is an incoherence.
Persistence & Privilege: concernWhile the skill is not always-on, it instructs installing a global npm package and may write an execution log file to the working directory. If the agent is allowed to invoke the skill autonomously it could attempt to install the package and create logs without explicit interactive user approval. Those actions change system state and require elevated permissions on some systems.