Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Search Late Night & Red Eye Flights — Overnight, After-Midnight, Late Evening Departures
v3.2.0Find overnight and late-night departure flights — often 20-40% cheaper than daytime. Save a hotel night by flying while you sleep. Also supports: flight book...
⭐ 0· 44·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and core CLI commands (flyai search-flight) align with searching for late-night/red-eye flights. However the description also claims booking, hotel reservations, train tickets, visa info, etc., yet the SKILL.md provides only search- and keyword-search CLI commands and no booking or hotel command examples or required credentials. The claimed 'Powered by Fliggy (Alibaba Group)' integration is not validated by a homepage, package source, or declared credentials.
Instruction Scope
SKILL.md mandates using a third-party CLI (flyai) for every answer and instructs installing it if missing. It also requires strict checks (every result must include a [Book]({detailUrl}) link) and a re-execute loop on failures, increasing network calls. The runbook instructs writing an execution log (including raw user_query) to .flyai-execution-log.json if filesystem writes are available — a persistent local write of potentially sensitive queries that the skill did not declare.
Install Mechanism
There is no formal install spec in the registry; instead installation is performed via the SKILL.md guidance: npm i -g @fly-ai/flyai-cli. That is a global npm install from an unnamed package (@fly-ai/flyai-cli) with no homepage or verification. Global installs can require elevated privileges (the fallback even suggests sudo). Installing an unvetted global package is a moderate-to-high risk.
Credentials
The skill requests no environment variables or credentials, which at first glance is proportional. However the CLI it asks to install may itself require or create credentials, store tokens, or access remote services (not declared). The runbook's logging of raw user queries to disk and logging of CLI commands could leak sensitive data. The absence of declared config paths or credential requirements while still instructing installation and persistent logging is a mismatch.
Persistence & Privilege
always:false (good) and no explicit autonomous-override flags. Still, the skill's runbook advises persisting execution logs to a local file (.flyai-execution-log.json) and the global npm installation leaves a persistent CLI binary on the system. Those behaviors create persistence and require user consent, but do not on their own indicate system-wide privilege escalation.
What to consider before installing
This skill expects you to install and run an unfamiliar global npm package (@fly-ai/flyai-cli) and will write an execution log file containing raw user queries. Before installing or enabling it: 1) Ask the publisher for the CLI package homepage and verify the npm package owner and source (is it really from Fliggy/Alibaba?). 2) Avoid running global npm installs with sudo; consider running the CLI in a sandboxed environment or container. 3) Inspect what the CLI stores (credentials/tokens) and where logs are written; refuse or restrict writing logs to your home or project directory if they may contain sensitive data. 4) If you need booking/hotel features, request concrete commands/endpoints or require explicit credentials — the skill currently advertises capabilities it does not show. If you cannot verify the package source and behavior, treat this skill as high-risk and do not install it on a production or personal system.Like a lobster shell, security has layers — review code before you run it.
latestvk97b45g4cjn5f6c1tx4cm80k9584rd0f
License
MIT-0
Free to use, modify, and redistribute. No attribution required.