Skillv3.2.0

ClawScan security

one-way · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 24, 2026, 8:03 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions largely match a one-way flight search tool but include unexpected behaviors (automatic global npm install, local logging of queries, and a vendor/name mismatch) that warrant caution before installing or letting it run autonomously.
Guidance: This skill appears to do what it says (use a CLI to search one-way flights), but there are a few practical risks to consider before installing or allowing it to run automatically: - The SKILL.md tells the agent to run 'npm i -g @fly-ai/flyai-cli' if the flyai CLI is missing. A global npm install downloads code from the public registry and may require elevated privileges. Prefer to install such packages yourself after verifying the publisher (check the npm page, README, and package owner) rather than letting an automated agent run the command. - The skill's description mentions Fliggy but the runtime uses 'flyai'; this mismatch is unexplained. Verify the provenance: where does flyai come from and who operates it? - The runbook instructs writing an execution log (.flyai-execution-log.json) containing raw user queries and CLI output. If your queries include personal data (names, itinerary details, passport info), those will be persisted on disk. Decide whether you want local logs and where they will be stored. - The skill enforces strict output formatting and a re-execution 'self-test' which could cause repeated CLI calls and network traffic if outputs do not match expected patterns. Recommended actions before use: 1. Manually verify the @fly-ai/flyai-cli package on npm (owner, downloads, homepage, repository, recent activity). Do not blindly allow the agent to perform a global npm install. 2. If you allow installation, prefer local sandboxed environments or a user-level install rather than system-wide global install. 3. Decide whether persistent logs are acceptable; if not, prevent or sanitize the skill's ability to write files. 4. If you need stronger assurance, ask the skill author for an authoritative homepage, source repo, or signed release for the flyai CLI. Given these unexplained behaviors (external install instruction, local logging, metadata mismatch), treat the skill as suspicious until provenance and install practices are confirmed.

Review Dimensions

Purpose & Capability: noteThe skill claims to search one-way travel and the SKILL.md consistently instructs use of a flight-search CLI (flyai). However the top-level description mentions 'Powered by Fliggy (Alibaba Group)' while the runtime tooling is 'flyai'/@fly-ai/flyai-cli — this mismatch is unexplained and may indicate sloppy metadata or misattribution.
Instruction Scope: concernInstructions require executing the external flyai CLI for every query and mandate installing it if missing. The runbook also instructs the agent to append an execution log to .flyai-execution-log.json (potentially storing user queries and CLI output). The SKILL.md enforces re-execution until a specific output format is achieved, which could cause repeated network calls or installations. No instructions reference unrelated system credentials, but local disk writes and repeated installs are outside a simple 'search' action and should be considered.
Install Mechanism: concernThere is no declared install spec in the registry, yet the instructions tell the agent to run 'npm i -g @fly-ai/flyai-cli' if flyai is missing. Installing a global npm package is a network download and may require elevated privileges (sudo/root) on some systems. Because the skill does not declare or verify the package source (no homepage or checksum provided), this is a moderate-to-high risk installation action coming from instruction text rather than an explicit, audited install spec.
Credentials: concernThe skill does not request environment variables or external credentials (good), but it asks to install a global CLI and to write execution logs containing the raw user_query and CLI responses. Global installs can require elevated privileges, and persistent logs can contain PII or sensitive query content. Both behaviors are disproportionate to a minimal 'search one-way flight' description unless the user expects local logging and package installation.
Persistence & Privilege: noteThe skill is not always-enabled and does not request special platform privileges. However it asks the agent to persist execution logs to a local file (.flyai-execution-log.json) if filesystem writes are available. That creates persistent data retention and should be disclosed to users; it does not directly modify other skills or global agent settings, but the global npm install step may alter the system environment.