mid-autumn-flight
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could install and run third-party code on the user's machine before showing flight results.
The skill requires installing an unpinned global npm package during use, while the registry/install information says there is no install spec and no required binary. This creates a supply-chain and local-environment modification risk.
If flyai-cli is not installed, install it first... npm i -g @fly-ai/flyai-cli
Require explicit user approval before installation, declare the CLI as a required dependency, pin or verify the package source/version, and prefer a sandboxed or user-managed install.
The agent will run commands locally and send the selected route/date search parameters to the flight provider CLI.
The skill is designed to run local CLI commands. This is expected for its real-time flight-search purpose, but users should understand that local command execution is part of the workflow.
flyai --version ... flyai search-flight --origin "{{o}}" --destination "{{d}}" --dep-date {{date}} --sort-type 2Review commands before execution, especially on first use, and avoid running the skill in sensitive environments unless the CLI is trusted.
The agent may run unsupported or unexpected CLI options, causing failed searches or broader command behavior than the main instructions describe.
The instruction says only listed parameters may be used, but later playbooks use parameters not present in the main table. Related reference files also include additional flags such as --seat-class-name and --max-price.
NEVER invent CLI parameters. Only use parameters listed in the Parameters Table... Playbook D... --journey-type 1 --sort-type 2
Align all playbooks and references with the official supported parameter list, or clearly document every allowed command and flag.