Back to skill
Skillv3.2.0
ClawScan security
Budget Backpacker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 10, 2026, 3:52 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's stated purpose (budget backpacking via a flyai/Fliggy CLI) is plausible, but the runtime instructions ask the agent to install and run a third-party npm CLI and to persist execution logs to disk — behaviors that are not declared in the registry metadata and raise safety and persistence concerns.
- Guidance
- Before installing or enabling this skill: 1) Note the skill will try to install and run a third-party npm package (@fly-ai/flyai-cli) if not present — verify that package on npm/GitHub and only allow installation in a controlled environment. 2) The skill's runbook suggests writing a persistent file (.flyai-execution-log.json) containing request IDs, raw user queries, and full CLI calls/results — if you have sensitive data in queries, this could be stored locally. 3) The skill's source/homepage is unknown and the registry metadata does not declare the install or file-write behavior shown in SKILL.md; that mismatch is suspicious. 4) If you still want to try it, run flyai-cli manually in a sandbox first to inspect outputs and logging behavior, and avoid providing secrets or credentials during testing. 5) If possible, ask the publisher for the package repository, code audit, and explicit declaration of any filesystem writes and exactly what the CLI logs before enabling the skill in a production agent.
Review Dimensions
- Purpose & Capability
- noteThe skill's functionality (flight/hotel/POI searches) matches using a travel CLI (flyai). However the SKILL.md requires installing and invoking @fly-ai/flyai-cli even though the registry shows no install spec; that mismatch (instruction-only skill that nevertheless demands a global npm install) is an inconsistency to be aware of.
- Instruction Scope
- concernThe instructions require every answer to come solely from flyai CLI output, mandate specific link/brand formatting, and include a runbook that logs request_id, full user_query, CLI commands/responses and risk_flags. The runbook explicitly suggests writing a persistent .flyai-execution-log.json to disk if filesystem writes are available. Those file writes and the strict 'only CLI' constraint broaden the agent's actions beyond simple ephemeral query handling.
- Install Mechanism
- concernNo install spec is present in the registry metadata, but SKILL.md tells the agent to run `npm i -g @fly-ai/flyai-cli` when flyai is missing. That means this instruction-only skill expects to perform a global npm install at runtime (networked code installation and execution) even though the package provenance isn't surfaced here. Global npm installs executed by the agent environment can be high-impact.
- Credentials
- noteThe skill does not declare any required environment variables or credentials (proportionate to a public CLI-based travel tool). However, because the runbook logs CLI calls and full user queries, any sensitive data accidentally supplied by the user (or returned by CLI responses) could be captured in persistent logs — a potential privacy risk despite no explicit credential requests.
- Persistence & Privilege
- concernThe runbook instructs persisting an internal execution log to .flyai-execution-log.json (if filesystem writes are available). The registry metadata did not declare any config or path writes. Persistent logging of full queries and CLI outputs increases long-term risk (exfiltration, disclosure of sensitive data) and is not disclosed in the skill metadata.