gap-year-travel
ReviewAudited by ClawScan on May 10, 2026.
Overview
This travel-search skill is mostly purpose-aligned, but it tells the agent to install an unpinned global npm CLI at runtime without a declared install spec or clear user approval.
Review this skill before installing or using it. It may be fine if you trust the FlyAI/npm package and want real-time travel results, but do not let it install the global CLI automatically unless you have verified the package source and are comfortable with the local environment change.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A normal travel request could cause the agent to download and install a global package, which may run package install code and remain on the machine.
The skill makes a runtime global npm installation part of the mandatory workflow, while the supplied metadata has no install spec or required binary declaration. That creates unpinned third-party supply-chain and local-environment-change risk.
FAIL: `command not found` -> ```bash npm i -g @fly-ai/flyai-cli flyai --version ```
Require explicit user approval before installation, declare the dependency in the install spec, pin the package version, provide source/provenance, and prefer an isolated or user-directed install flow.
The agent may run CLI options or fallback commands outside the declared scope, which could produce unexpected searches or provider requests.
The skill claims a strict parameter allowlist, but later uses `--journey-type`, which is not listed in the main parameters table. Other reference files also introduce additional flags and commands.
NEVER invent CLI parameters. Only use parameters listed in the Parameters Table below... Playbook D: `flyai search-flight --origin "{{o}}" --destination "{{d}}" --dep-date {{date}} --journey-type 1 --sort-type 2`Keep one complete allowlist of supported commands and flags, document all fallbacks, and validate user-provided values before constructing shell commands.