military-flights
ReviewAudited by ClawScan on May 10, 2026.
Overview
This travel-search skill is not clearly malicious, but it should be reviewed because it can install an unpinned global CLI and persist raw travel queries locally.
Install only if you trust the flyai CLI package and are comfortable with a global npm install. Ask the agent to get approval before installing or rerunning searches, and disable or delete the local .flyai-execution-log.json file if you do not want travel or military-discount search details stored.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A global npm install can run third-party package code and change the user's system before any flight search is performed.
The skill tells the agent to install an unpinned global npm package at runtime instead of using a declared, reviewed install mechanism.
If flyai-cli is not installed, install it first... npm i -g @fly-ai/flyai-cli
Require explicit user approval before installation, pin the package version, document the package provenance, and prefer a declared install spec or user-run setup.
The agent may rerun external flight searches instead of stopping promptly, causing delays or extra provider calls.
The skill makes repeated CLI execution the recovery path when expected booking links are absent, but it does not clearly define a retry limit.
Self-test: If your response contains no `[Book](...)` links, you violated this skill. Stop and re-execute.
Add a small retry cap and ask the user before repeating failed or empty searches.
Travel routes, dates, and military/veteran-related search context could remain in a local file and be exposed through shared folders, backups, or later agent tasks.
The runbook records raw user queries and command history, then appends them to a persistent local file if filesystem writes are available.
Agent maintains this log internally. Not shown to users... "user_query": "{raw input}" ... echo '{generation_log_json}' >> .flyai-execution-log.jsonMake logging opt-in, redact sensitive query details, document the storage location and retention period, and provide a cleanup command.