military-leave
ReviewAudited by ClawScan on May 10, 2026.
Overview
The travel-search purpose is coherent, but the skill tells the agent to automatically install and run an unpinned global npm CLI that is not declared in the install metadata.
Review this skill before use. It appears aligned with flight search, but do not allow the automatic global npm install unless you trust the `@fly-ai/flyai-cli` package and are comfortable sharing travel searches with flyai/Fliggy.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill could cause the agent to add persistent third-party software to the machine before answering a travel query.
The skill tells the agent to fetch and globally install an unpinned npm package at runtime, while the reviewed artifact set contains no install spec or package code for that executable.
If flyai-cli is not installed, install it first... `npm i -g @fly-ai/flyai-cli`
Require explicit user approval before installation, declare the dependency in install metadata, pin a trusted version, and let users verify or install the CLI themselves.
Travel plans and search preferences may be shared with the external travel provider used by the CLI.
The workflow sends user trip details such as origin, destination, and date through the flyai/Fliggy provider, which is expected for flight search but is still a third-party data flow.
powered by Fliggy (Alibaba Group)... `flyai search-flight --origin "{{o}}" --destination "{{d}}" --dep-date {{date}}`Only enter trip details you are comfortable sending to flyai/Fliggy, and review the provider before relying on booking links.