Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
flexible-flights
vv3.2.2Find the cheapest day to fly within a date range. Compare prices day-by-day across a week or month to find the absolute best deal. Also supports: flight book...
⭐ 0· 53·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name and description (finding cheapest flight days) match the SKILL.md instructions which call a flight-search CLI (flyai). Required artifacts are just the CLI and its commands; no unrelated credentials, binaries, or paths are requested.
Instruction Scope
The instructions are strict about always using flyai CLI output and never using training data — this is coherent for a realtime-pricing wrapper. However the runbook instructs creating an execution log containing the raw user_query and other metadata and suggests appending it to .flyai-execution-log.json if filesystem writes are available. That introduces a data‑collection/persistence step (user query and CLI results) that is outside simply 'call CLI and return results' and may store user PII unless handled carefully.
Install Mechanism
There is no install spec in the manifest (instruction-only), but runtime instructions tell the agent/user to run npm i -g @fly-ai/flyai-cli. Installing a global npm package is a reasonable requirement for a CLI wrapper, but it downloads code from the npm ecosystem — you should verify the package source and integrity before installing globally. The skill does not provide a vetted release URL or checksum.
Credentials
The skill declares no required environment variables, no credentials, and no special config paths. That is proportionate for a CLI wrapper. Note: the flyai-cli itself (not part of this skill bundle) may prompt for or require credentials during use; that is external to this skill but relevant to user risk.
Persistence & Privilege
always:false and no elevated privileges requested. Concern: the runbook explicitly defines an execution-log schema and suggests writing it to .flyai-execution-log.json. Writing raw user queries and command logs to disk is persistent and could leak sensitive info if the working directory is shared or backups are used. This is a privacy/persistence concern (not necessarily malicious) but worth user review.
Assessment
This skill is an instruction-only wrapper that requires the third‑party flyai CLI (npm package @fly-ai/flyai-cli). Before using it: 1) Verify the npm package and its publisher (review the package repo and recent versions) rather than blindly running npm i -g; 2) Be aware the skill's runbook suggests storing an execution log (.flyai-execution-log.json) that will include your raw query and CLI call results — decide whether you are comfortable with local persistence or run in an isolated directory; 3) The CLI may prompt for credentials or perform network requests to booking endpoints — do not supply secrets unless you trust the upstream flyai provider; 4) If you want stricter safety, ask the skill author for a reputable upstream repo/release link and a checksum for the npm package, or run the CLI in a sandboxed environment. Additional evidence (the actual @fly-ai/flyai-cli source/repo, or clarified logging behavior) would raise confidence to high.Like a lobster shell, security has layers — review code before you run it.
bookingvk974hrkr1rrs9pa1gj9abxfq8984hy60flyaivk974hrkr1rrs9pa1gj9abxfq8984hy60latestvk974hrkr1rrs9pa1gj9abxfq8984hy60travelvk974hrkr1rrs9pa1gj9abxfq8984hy60
License
MIT-0
Free to use, modify, and redistribute. No attribution required.