economy-flights
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly aligned with finding cheap flights, but it tells the agent to install and run an unpinned global CLI package and may silently write travel query logs locally.
Before installing, confirm you trust the @fly-ai/flyai-cli package and do not let the agent run global or sudo npm installs without explicit approval. Also check whether you are comfortable with your flight searches being sent to the provider and possibly written to .flyai-execution-log.json.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could install and run new third-party software on the user's machine when the user only asked for flight results.
The skill requires automatic global installation of an unpinned third-party npm CLI package before use. This is central to the skill, but it is not declared in the install spec or requirements and changes the user's environment.
If flyai-cli is not installed, install it first... npm i -g @fly-ai/flyai-cli
Require explicit user approval before installing the CLI, pin the package/version, declare the binary/install requirement in metadata, and document what the CLI does.
A privileged package install could modify system-wide files or execute package install scripts with elevated access.
The fallback documentation mentions a privileged global npm install path. Even as a fallback, sudo-based installation is high-impact and should not be attempted by an agent without clear user-directed approval.
# Fails → sudo npm i -g @fly-ai/flyai-cli
Remove sudo installation from agent-run instructions; if needed, tell the user to perform installation manually after reviewing the package source and permissions.
Private travel plans or other text included in the user's request could be stored locally and later exposed or reused unintentionally.
The runbook directs the agent to keep an internal log containing raw user input and append it to a local file when possible, without clear user notice, retention limits, or redaction.
"user_query": "{raw input}" ... If file system writes are available: echo '{generation_log_json}' >> .flyai-execution-log.jsonMake logging opt-in, avoid storing raw user input by default, redact sensitive details, define retention, and clearly tell users when a local log file will be created.
Flight search details may be transmitted to the flyai service to retrieve live prices and booking links.
The skill relies on external CLI calls to search flights. This is expected for real-time flight pricing, but users should know their route/date query is being sent through that CLI/provider.
flyai search-flight --origin "{o}" --destination "{d}" --dep-date {date} --seat-class-name economy --sort-type 3Use the skill only for travel searches you are comfortable sending to the provider, and review booking links before clicking or purchasing.