coffee-tour
ReviewAudited by ClawScan on May 10, 2026.
Overview
The travel-search purpose is coherent, but the skill tells the agent to automatically install an unpinned global npm CLI before use.
Review before installing. The skill appears designed for flight-search results and booking links, but you should approve any npm installation manually, confirm the flyai CLI source and version, and avoid sharing unnecessary personal travel details.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing an unpinned global CLI can change the user's system and relies on code from an external package source that is not reviewed in these artifacts.
The skill directs the agent to install an unpinned npm package globally during normal use, despite the registry saying there is no install spec or required binary.
`command not found` -> `npm i -g @fly-ai/flyai-cli`
Require explicit user approval before installation, pin the package version, declare the binary/install requirement in metadata, and prefer a scoped or sandboxed install path.
The agent may run flyai commands or flags beyond the advertised parameter list, which could produce errors or less predictable behavior.
The skill creates an allowlist rule but later uses a flag not listed in that table, reducing clarity about which CLI operations are actually permitted.
`Only use parameters listed in the Parameters Table below` ... `flyai search-flight ... --journey-type 1 --sort-type 2`
Make the parameter table and playbooks consistent, and document every allowed command and flag the skill may use.
Origin, destination, dates, and travel preferences may be shared with the external travel provider.
The skill sends user-provided travel details to the external flyai/Fliggy travel service through the CLI, which is expected for flight search but still a data-sharing boundary.
`powered by Fliggy (Alibaba Group)` and `flyai search-flight --origin "{{o}}" --destination "{{d}}" --dep-date {{date}}`Use the skill only for travel details you are comfortable sending to the provider, and avoid entering unnecessary personal or sensitive information.