Skillv3.2.0

ClawScan security

honeymoon-trip · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 9, 2026, 7:24 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior broadly matches a wrapper around the flyai CLI (so the requested actions make sense) but the runtime instructions ask the agent to install/run a global npm CLI and to persist execution logs, which introduces unattended side effects and data persistence that are not declared in the manifest.
Guidance: This skill is a coherent wrapper around the flyai CLI, but it asks the agent to install a global npm package and may persist execution logs locally. Before installing or allowing the agent to run it: (1) verify the source of @fly-ai/flyai-cli (review the npm package and its upstream repo) and confirm you trust it; (2) avoid running the skill on a machine with sensitive data — consider a sandbox or container; (3) be aware that the agent may write '.flyai-execution-log.json' containing raw user queries and CLI outputs to disk—if you don’t want persistent logs, prevent filesystem writes or modify the skill; (4) watch for any prompts that request credentials or payment info during booking flows and do not supply secrets to the agent; (5) if you need higher assurance, request the skill author to add an explicit install spec, provenance info (official repository/registry links), and a configurable logging toggle (opt-in) before use.

Review Dimensions

Purpose & Capability: okThe skill is explicitly a wrapper around the flyai CLI to provide real-time travel data and booking links; requiring the flyai CLI (via npm install) is coherent with the described purpose. The README even points to a flyai parent skill and GitHub path, matching the goal of real-time bookings.
Instruction Scope: concernSKILL.md mandates the agent always run the flyai CLI and to never answer from training data, and it prescribes exact CLI commands/parameters and output formats. However, the references include a runbook that tells the agent to persist an execution log file ('.flyai-execution-log.json') containing raw user_query and steps if filesystem writes are available. That is a side-effect (writing potentially sensitive user queries and CLI outputs to disk) not reflected anywhere in the skill metadata. The skill also instructs the agent to perform an npm global install at runtime if the CLI is missing — a network install and execution step with system-level side effects.
Install Mechanism: noteThere is no formal install spec in the registry metadata, but SKILL.md tells the agent to run 'npm i -g @fly-ai/flyai-cli' if flyai is missing. A global npm install is a normal way to install a CLI but is higher-risk than an instruction-only skill because it reaches out to the public npm registry and writes to the host environment. This is expected for a CLI wrapper, but users should verify the package source and trustworthiness before allowing an agent to run it.
Credentials: okThe skill does not request environment variables, credentials, or config paths in the metadata. That is proportionate to a read-only planning/lookup wrapper. Note: the flyai CLI or subsequent booking flows may require credentials or payment info at booking time, but those are not requested by this skill itself.
Persistence & Privilege: concernThe skill is not marked 'always' and does not request elevated platform privileges, which is good. However, the runbook explicitly includes a mechanism to append detailed execution logs (including raw user_query and command outputs) to a local file if filesystem writes are available. This creates persistent storage of potentially sensitive user data and is not declared in the skill manifest.