mid-autumn-flight
ReviewAudited by ClawScan on May 10, 2026.
Overview
This flight-search skill is mostly purpose-aligned, but it tells the agent to install an undeclared global npm CLI package during use, which should be reviewed before running.
Before installing, verify that @fly-ai/flyai-cli is the intended and trusted package, approve any install manually, and be aware that your flight search details will be sent through that CLI. Also verify booking links before entering payment or personal information.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could install and run third-party code on the user's machine before showing flight results.
The skill requires installing an unpinned global npm package during use, while the registry/install information says there is no install spec and no required binary. This creates a supply-chain and local-environment modification risk.
If flyai-cli is not installed, install it first... npm i -g @fly-ai/flyai-cli
Require explicit user approval before installation, declare the CLI as a required dependency, pin or verify the package source/version, and prefer a sandboxed or user-managed install.
The agent will run commands locally and send the selected route/date search parameters to the flight provider CLI.
The skill is designed to run local CLI commands. This is expected for its real-time flight-search purpose, but users should understand that local command execution is part of the workflow.
flyai --version ... flyai search-flight --origin "{{o}}" --destination "{{d}}" --dep-date {{date}} --sort-type 2Review commands before execution, especially on first use, and avoid running the skill in sensitive environments unless the CLI is trusted.
The agent may run unsupported or unexpected CLI options, causing failed searches or broader command behavior than the main instructions describe.
The instruction says only listed parameters may be used, but later playbooks use parameters not present in the main table. Related reference files also include additional flags such as --seat-class-name and --max-price.
NEVER invent CLI parameters. Only use parameters listed in the Parameters Table... Playbook D... --journey-type 1 --sort-type 2
Align all playbooks and references with the official supported parameter list, or clearly document every allowed command and flag.