Skillv3.2.0

ClawScan security

Pool Hotel · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 11, 2026, 2:51 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches a hotel-search purpose but makes claims (flights, tickets, insurance), instructs installing an unvetted npm CLI, and asks the agent to persist and strictly rely on that CLI — these are coherent but contain several operational and privacy risks that deserve caution.
Guidance: This skill is instruction-only and largely coherent for hotel searches, but proceed cautiously. Key things to consider before installing or using it: 1) The skill asks you (or the agent) to npm i -g @fly-ai/flyai-cli — verify the package on the npm registry and review its source code before installing globally (prefer sandboxed testing). 2) The description promises many travel features beyond hotel search, but the SKILL.md only documents hotel CLI commands — ask the author to clarify or provide proof for other capabilities. 3) The skill may persist execution logs (including user queries) to .flyai-execution-log.json — confirm retention policy and sanitize sensitive data. 4) The strict ‘must come from CLI’ and ‘must include [Book]’ rules may cause the agent to repeatedly retry commands; consider rate limits and cost/latency implications. 5) If you need stronger assurance, request the skill owner’s homepage/source repo or ask for an explicit install spec (trusted release URL, checksum, and minimal-permission install instructions) or run the CLI in an isolated environment first.

Review Dimensions

Purpose & Capability: concernThe skill description claims broad travel capabilities (flight booking, train tickets, attractions, visa info, travel insurance, car rental) but the SKILL.md and playbooks only define hotel-related flyai CLI commands and fallbacks. There is a mismatch between the advertised scope and the actual instructions, which suggests either incomplete documentation or overstated capabilities.
Instruction Scope: concernThe runtime instructions force every answer to come from the flyai CLI and explicitly forbid using training data. They require installing @fly-ai/flyai-cli if absent and mandate re-execution until results include a [Book]({detailUrl}) link. This creates a risk of repeated CLI calls/loops if results don't match the strict checks. The runbook also instructs persisting logs (including raw user_query) to a local file when filesystem writes are available, which raises privacy/persistence concerns.
Install Mechanism: concernAlthough the registry contains no install spec, SKILL.md tells the agent to run npm i -g @fly-ai/flyai-cli. Requiring a global npm package install at runtime is a moderate risk: npm packages run arbitrary code during install and execution and the package origin and trustworthiness are not documented here. The skill does not provide a vetted release URL, checksum, or source repo to validate the package.
Credentials: noteThe skill requests no environment variables or credentials (good), but the flyai CLI could require authentication or prompt for tokens at runtime (not documented). The runbook log can capture and persist user queries and CLI outputs to disk, so sensitive user data could be stored even though no explicit credential access is requested.
Persistence & Privilege: concernThe skill does not request always:true and is user-invocable, which is fine. However, it instructs writing an execution log to .flyai-execution-log.json if filesystem writes are available, persisting request_id, user_query, commands, and possibly CLI outputs. This local persistence of possibly sensitive data is a notable privilege and privacy risk.