Skillv3.2.0

ClawScan security

oversize-baggage · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 24, 2026, 8:04 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions broadly match a flight-search helper, but runtime behavior asks the agent to install and run an unvetted npm CLI and contains small mismatches (branding/source unknown) that increase risk; verify provenance before installing or running.
Guidance: Plain-language steps and cautions before installing or running this skill: - Provenance: Ask the publisher/developer for the skill's source code or an official homepage. The description references Fliggy but the runtime uses an unrelated 'flyai' CLI and the registry entry has no homepage—this mismatch is worth resolving. - NPM install risk: The skill instructs the agent to run `npm i -g @fly-ai/flyai-cli` if the CLI is missing. Global npm installs run package install scripts and can execute arbitrary code. Only run this if you (or your admin) have verified the package on npmjs.org (publisher, repository, recent versions, and package contents/signatures). - Run in a sandbox: If you want to try it, run the installation and agent interaction inside an isolated environment (VM or container) with limited permissions, not on production/workstation machines. - Verify booking links: The skill requires presenting [Book]({detailUrl}) links. Confirm where those links point (are they affiliate/redirects?), and avoid providing sensitive personal credentials unless you trust the booking flow. - Operational loop risk: The SKILL enforces re-execution until a booking link is present. Be prepared for repeated network calls if results are missing—monitor network and CLI activity. - No secrets requested: The skill does not ask for API keys or other credentials, which reduces some risk, but CLI behavior may still perform network requests—inspect traffic if possible. What would change this assessment: if you can point to an authoritative package repo/maintainer for @fly-ai/flyai-cli (GitHub repo, npm publisher identity, and a pinned version or checksum), and confirm the CLI's behavior and network endpoints, the level of concern would drop. Conversely, inability to identify the CLI publisher or evidence of unexpected network endpoints would increase the risk rating.
Findings: [NO_CODE_FILES] expected: The scanner found no code files (this is an instruction-only skill). This is expected for SKILL.md-only skills, but leaves the CLI install/runtime behavior as the primary security surface to review.

Review Dimensions

Purpose & Capability: noteThe skill's stated purpose—searching for flights that accommodate oversize baggage—is consistent with the required runtime actions (calling a flight-search CLI). However the description claims 'powered by Fliggy (Alibaba Group)' while every runtime instruction targets a 'flyai' CLI; source/homepage are missing. This branding/source mismatch and lack of upstream provenance is unexplained.
Instruction Scope: concernSKILL.md tightly constrains behavior to using the flyai CLI and forbids answering from training data, which is coherent. But it requires the agent to install a global npm package at runtime if flyai isn't present (npm i -g @fly-ai/flyai-cli). That installation step can execute arbitrary code on the host. The skill also enforces re-execution until every result includes a [Book]({detailUrl}) link, which could cause repeated CLI use or loops if results are missing—this operational requirement increases risk.
Install Mechanism: concernThere is no packaged install spec in the registry; instead the SKILL.md tells the agent to run a global npm install of @fly-ai/flyai-cli. Installing a third-party npm package globally at runtime is a moderate-to-high risk action unless the package's publisher/repo is verified. The instruction lacks any verification step (no expected package version, checksum, or repository URL).
Credentials: okThe skill requests no environment variables, no credentials, and no config paths. From an access-proportionality perspective, it does not ask for unrelated secrets or broad system credentials.
Persistence & Privilege: okThe skill does not request 'always: true' and does not indicate persistent modification of other skills or system-wide settings. Autonomous invocation is enabled (the platform default) but is not combined with an explicit elevation of privilege in the skill itself.