Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
FlyAI Flight Tracker
vv3.2.0Track flight prices across a date range and find the optimal booking window. Shows day-by-day price comparison charts to spot trends and the best moment to b...
⭐ 0· 37·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (flight price tracking) aligns with the instructions to call a flyai CLI. However the SKILL.md requires installing a third-party npm package at runtime even though the registry metadata includes no install spec or provenance (no homepage/source). The README references a GitHub parent skill but the registry source is 'unknown', which weakens provenance.
Instruction Scope
The SKILL.md tightly constrains answers to data obtained from the flyai CLI and forbids using training data — but a playbook (Playbook B) explicitly says to 'Compare with historical patterns from knowledge', which contradicts the 'NEVER answer from training data' rule. The instructions also force the agent to run an npm -g install if the CLI is missing; that action performs network installs and is outside the skill's declared metadata. The playbooks/ references are local paths that may not exist in the runtime environment, adding operational fragility.
Install Mechanism
There is no formal install spec in the registry, but the SKILL.md instructs running 'npm i -g @fly-ai/flyai-cli' when flyai is missing. That causes a network download and global package installation at runtime—potentially arbitrary code execution from npm. Using npm is common, but the skill does not declare the package's provenance, required permissions, or whether it needs API credentials.
Credentials
The skill declares no required environment variables or credentials. In practice, a CLI that queries real-time booking data often requires API keys or login tokens; those are not declared. This mismatch (no declared secrets but likely external service access) is a red flag: verify whether the flyai CLI requires authentication and what it stores/uses before installing.
Persistence & Privilege
The skill does not request 'always: true' or other elevated platform privileges. It also does not claim to modify other skills or system-wide configuration. The main persistence concern is the agent-driven global npm install called at runtime, but that is not a declared platform privilege.
What to consider before installing
Before installing or enabling this skill: (1) Verify the provenance of '@fly-ai/flyai-cli' — check its npm page and source repo; do not blindly run 'npm i -g' as it executes code on your system. (2) Confirm whether the CLI requires API credentials or login (none are declared in the skill). If it does, ask the author why credentials aren't declared and where they are stored. (3) Ask the skill author to resolve the contradiction between 'NEVER answer from training data' and the instruction to 'compare with historical patterns from knowledge.' (4) Prefer skills that publish a homepage or repository so you can audit the CLI code and read its privacy/security policy. (5) If you decide to proceed, consider installing the CLI manually in a controlled environment (not via an autonomous agent) and inspect what network calls it makes and where it stores tokens. (6) If you cannot verify the CLI's safety and provenance, treat this skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
bookingvk97dz9bc75vxfc415yzebx5x7184hrzmflyaivk97dz9bc75vxfc415yzebx5x7184hrzmlatestvk97dz9bc75vxfc415yzebx5x7184hrzmtravelvk97dz9bc75vxfc415yzebx5x7184hrzm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.