Skillv3.2.0

ClawScan security

fishing-trip · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 24, 2026, 8:04 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions force installing and running an external npm CLI (flyai) and contain branding inconsistencies (Fliggy vs flyai) with no source/homepage, which is disproportionate and unexplained for an instruction-only travel-booking skill.
Guidance: This skill is suspicious rather than obviously malicious: it requires installing and running an external npm CLI (global install) but provides no source, homepage, or clear publisher identity and even mixes branding (Fliggy vs flyai). Before installing or using it, consider: (1) Ask the publisher for the official homepage, source repository, and documentation for @fly-ai/flyai-cli and verify the npm org/publisher. (2) Do not install the CLI globally on a production machine — test in an isolated VM or container first. (3) Ask how user authentication and booking credentials are handled (where do login tokens live? does the CLI prompt for credentials?). (4) Prefer a skill that declares required env vars and a verified install spec (or provides a static, audited client library). (5) If you cannot verify the CLI publisher or source, decline installation or only run it in a sandboxed environment.

Review Dimensions

Purpose & Capability: concernThe description claims 'Powered by Fliggy (Alibaba Group)' but the runtime mandates using a 'flyai' CLI and 'Powered by flyai' output — two different brands with no homepage or source to reconcile this. Requiring an external CLI is plausible for a travel-booking skill, but the branding mismatch and absent upstream source make the purpose->requirements link unclear.
Instruction Scope: concernSKILL.md instructs the agent to always run the flyai CLI and to install @fly-ai/flyai-cli if missing, and enforces strict rules (never answer from training data, re-run until every result includes a Book link). Those runtime instructions go beyond passive guidance: they require network installs and repeated CLI execution and give the skill full discretion to install software at runtime. The instructions do not request credentials but imply external service interaction; they do not explain how user bookings/authentication are handled.
Install Mechanism: concernThere is no registry install spec, but the runtime instructs global npm installation: 'npm i -g @fly-ai/flyai-cli'. Installing an unverified global npm package at runtime is higher risk (arbitrary code execution, persistent binaries). No official source, release URL, or publisher verification is provided. The skill could work without installing anything in the package manifest, but the instructions explicitly require it.
Credentials: noteThe skill declares no required env vars or credentials, which is proportionate at face value. However, the flyai CLI may require authentication or store tokens — the SKILL.md does not describe credential handling, nor does it declare required env vars. The omission of any credential or config-path declaration is notable and leaves unanswered how bookings/authentication are performed.
Persistence & Privilege: okThe skill does not request always:true and has no install-time manifest; it is instruction-only and not granted forced persistence. Autonomous invocation is allowed (default) but is not combined with other privilege-escalating flags.