Skillv3.2.0

ClawScan security

coffee-tour · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 24, 2026, 6:36 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions mostly match a flight-search CLI workflow, but there are inconsistencies (brand mismatch) and an instruction to globally install a third‑party npm CLI at runtime which raises supply‑chain and installation concerns.
Guidance: This skill mostly behaves like a wrapper around a third‑party CLI (flyai) to search flights, which is coherent with flight-booking functionality — but review these before installing or allowing autonomous execution: - Branding mismatch: the description claims 'Powered by Fliggy (Alibaba Group)' but the CLI and npm package are 'flyai' / @fly-ai/flyai-cli. Ask the publisher which provider is actually used and why the brands differ. - Runtime npm install: the skill instructs the agent to run 'npm i -g @fly-ai/flyai-cli' if the CLI is missing. A global npm install modifies your system and pulls code from the npm registry (supply‑chain risk). Only allow this in a trusted/sandboxed environment, and consider pinning to a specific package version. - Ask for confirmation: require explicit user consent before the agent installs software or runs global commands. Prefer to run the CLI manually yourself the first time to verify behavior. - Re-execution behavior: the SKILL.md enforces re-running the CLI until a [Book] link appears. That could cause repeated network calls or installs. Ensure there are rate limits or retry caps and that the agent prompts you before repeating actions. - Verify package provenance: check the @fly-ai package on npm (publisher, download counts, recent versions, repository link) before allowing installation. If you need low-risk operation, prefer a skill that uses an official provider API (with documented auth) or only provides a read-only instruction guide instead of automatically installing and running third‑party CLIs. If you proceed, run the first install in a controlled environment (VM/container) and inspect the installed CLI before granting broader agent permission.

Review Dimensions

Purpose & Capability: concernThe skill claims 'Powered by Fliggy (Alibaba Group)' in its description but every runtime artifact (commands, brand tag, npm package name) refers to 'flyai' / @fly-ai/flyai-cli. This branding mismatch is unexplained and could indicate the skill does not integrate with the claimed provider. Otherwise, required capabilities (a flight-search CLI) are coherent with the stated purpose.
Instruction Scope: concernSKILL.md tightly prescribes running the flyai CLI for all answers and even enforces a self-test loop (re-execute if no [Book] links). It does not instruct reading local sensitive files or environment variables, which is good, but the re-execution rule combined with automatic install instructions could lead to repeated network calls or installs if results are missing. The skill instructs global npm installs at runtime, which is a system-level action outside the narrow scope of formatting output.
Install Mechanism: noteThere is no formal install spec, but SKILL.md tells the agent to run 'npm i -g @fly-ai/flyai-cli' if flyai is missing. Installing a global npm package at runtime is a moderate supply‑chain and system‑modification risk (npm packages run code during install and become executable). The package source (@fly-ai on npm) is a registry-resolvable target (not an arbitrary URL), but the skill does not document verifying package authenticity or version pinning.
Credentials: noteThe skill declares no required environment variables or credentials, which is consistent with a read-only search workflow that returns booking links. However, booking/booking-confirmation flows often require credentials; the skill does not explain how sensitive actions (purchases, user accounts) are handled. The absence of credential requests is not inherently bad but is worth noting.
Persistence & Privilege: okThe skill does not request persistent system presence (always:false) and does not modify other skills or system configuration in the SKILL.md. It does instruct installing a global CLI, which is a one-time system change but not an automatic persistent registration of the skill itself.