expat-relocation
AdvisoryAudited by VirusTotal on Apr 24, 2026.
Overview
Type: OpenClaw Skill Name: expat-relocation Version: 3.2.0 The skill is classified as suspicious because it mandates the global installation of an external NPM package (`@fly-ai/flyai-cli`) via `npm i -g` in SKILL.md and references/fallbacks.md, which is a high-risk operation that could facilitate supply chain attacks or unauthorized system modification. The instructions use aggressive prompt engineering to force the agent to install this software and strictly bypass its internal knowledge base. While these actions are framed as necessary for flight booking, the requirement for global execution privileges and external dependency fetching without verification poses a significant security risk.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may install third-party software globally on your computer before showing flight results.
This mandates a runtime global installation of an unpinned npm package. npm installs can execute package code and modify the local environment, while the package itself is not included for review here.
If flyai-cli is not installed, install it first... `npm i -g @fly-ai/flyai-cli`
Only allow the install if you trust @fly-ai/flyai-cli. Prefer a user-approved, pinned, documented install step or run it in a sandboxed environment.
Your travel search details may be processed by the external flight-booking provider, and clicking results may take you to booking pages.
The skill directs the agent to send route/date parameters to the flyai CLI and present provider booking links. This fits the stated travel-booking purpose, but users should notice the external tool and links.
`flyai search-flight --origin "{{o}}" --destination "{{d}}" --dep-date {{date}} --sort-type 2` ... `Every result MUST have a [Book]({detailUrl}) link.`Use the skill only when you are comfortable sharing the itinerary details with the provider, and verify prices and URLs before booking.