Skillv3.2.0

ClawScan security

Mini Trip · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 11, 2026, 9:02 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is plausibly a travel-planning wrapper around a CLI, but several mismatches and operational instructions (automatic npm install, filesystem logging, and a contradictory vendor claim) are unexpected and warrant caution.
Guidance: This skill appears to be a CLI-driven travel planner and is not obviously malicious, but there are several things to check before installing or enabling it: - Verify what "flyai" is: the skill tries to install a global npm package (@fly-ai/flyai-cli). Confirm the package's publisher, source, and reputation on the npm registry or the vendor's official site before running npm i -g. Running npm globally can execute arbitrary code and may require elevated privileges. - Ask the author about the Fliggy vs flyai mismatch: the description mentions "Powered by Fliggy (Alibaba Group)" but the runtime exclusively calls flyai CLI. This could be a documentation error or intentional mislabeling — clarify which backend actually provides the data. - Expect local persistence: the runbook suggests appending an execution log (.flyai-execution-log.json) to the current directory if writable. Logs may contain full user queries and CLI output; run this only where such logging is acceptable, or modify the behavior. - The skill enforces strict rules (must source all answers from the CLI, must include [Book](...) links) and may re-run repeatedly until those conditions are met. That could cause repeated network activity and CLI calls. Consider running in a sandbox or with network/install restrictions first. - No environment credentials are requested, which is appropriate. Still review the flyai CLI's own credential requirements and privacy policy before providing any keys. If you want to proceed safely: test the npm package in an isolated environment (container or VM), inspect the installed package contents, and confirm that flyai CLI behavior and endpoints meet your privacy and security requirements. If the vendor information remains unclear, treat this skill as untrusted.

Review Dimensions

Purpose & Capability: noteThe skill claims to plan 3-day trips and routes CLI calls to a travel CLI (flyai). Requiring a travel CLI is coherent. However the top-level description also says "Powered by Fliggy (Alibaba Group)" while every runtime instruction uses a different tool (flyai CLI). This branding mismatch is unexplained and could be misdirection or sloppy documentation.
Instruction Scope: concernRuntime instructions require executing flyai CLI commands for all data (explicitly forbids using training data) and demand re-running until every result includes a [Book]({detailUrl}) link. The runbook additionally instructs writing an execution log to .flyai-execution-log.json if filesystem writes are available. Those behaviors (forced CLI install, mandatory re-execution loop, and local logging of full requests/results) expand the skill's scope beyond simple query-to-result formatting and should be understood before enabling.
Install Mechanism: concernThere is no packaged install spec, but the skill mandates running: npm i -g @fly-ai/flyai-cli if the CLI is missing. Installing a global npm package at runtime is a moderate-to-high risk operation (network download, arbitrary code execution, potential privilege requirements). The npm registry is a common distribution channel, but the package's publisher and integrity are not documented here.
Credentials: okThe skill does not request environment variables, credentials, or config paths. Its operations rely on the external flyai CLI for data, so no additional secrets are declared. That is proportionate to a CLI-driven travel skill.
Persistence & Privilege: notealways:false (normal). However the runbook explicitly suggests appending execution logs to a local file (.flyai-execution-log.json) if filesystem writes are available. The skill does not declare this config path in metadata; writing request/response logs to the local filesystem is persistent behavior the user should be aware of.