Back to skill
Skillv3.2.0
ClawScan security
Refundable Hotel · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 11, 2026, 2:53 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's core behavior (run a CLI to fetch live refundable-hotel results) is coherent, but there are unexplained/incomplete bits — it asks you to install a third‑party npm CLI, claims a different data source (Fliggy) than the CLI it requires (flyai), and its runbook suggests writing a local log file though no config/file access was declared.
- Guidance
- Before installing or using this skill, consider the following: - Verify provenance of the flyai CLI: the skill asks you to 'npm i -g @fly-ai/flyai-cli' (global install). Only install packages from sources you trust; prefer pinned versions or checksums and review the package on the npm registry or its GitHub repo first. - Ask the skill author how authentication is handled: the manifest lists no API keys or env vars, but the CLI probably needs credentials. Do not provide unrelated secrets. - The SKILL.md claims 'Powered by Fliggy' but uses the 'flyai' CLI — ask which upstream data provider is actually used and request clarity on legal/branding claims. - The runbook suggests writing an execution log file (.flyai-execution-log.json). If you care about disk writes or data residency, ask the author to make logging explicit, optional, and configurable (or disabled). - If you will run this in an automated/agent context, prefer running the CLI in a sandboxed environment (limited filesystem/network) and avoid global npm installs in privileged environments. - If you need higher confidence, request an explicit install manifest (trusted download URL / GitHub releases) and a description of what data the flyai CLI collects, what credentials it needs, and whether the package has known maintainers/repository.
Review Dimensions
- Purpose & Capability
- noteThe declared purpose (find hotels with free cancellation) matches the instructions to run a hotel-search CLI. However the SKILL.md claims 'Powered by Fliggy (Alibaba Group)' while every runtime command uses a separate tool, 'flyai' CLI — that mismatch is unexplained and could indicate inaccurate provenance claims.
- Instruction Scope
- concernInstructions require running flyai CLI commands for all answers and explicitly forbid using training data. This is fine for a live-data skill, but the runbook includes a command to append logs to .flyai-execution-log.json (file system write) even though the skill manifest declares no config paths or filesystem requirements. The skill also enforces strict output rules (must include detailUrl links), which is reasonable but could force repeated CLI invocations if outputs don't match the template.
- Install Mechanism
- concernThere is no install spec in the registry metadata; the SKILL.md instructs the agent/user to run 'npm i -g @fly-ai/flyai-cli' if the CLI is missing. Installing a global npm package is a non-trivial action: npm packages are third‑party code that will be downloaded and executed on the host. The skill does not provide a pinned version, checksum, or an alternate trusted install source.
- Credentials
- concernThe manifest declares no required environment variables or credentials, but the flyai CLI likely requires an account or API key to access live pricing/book links — the SKILL.md does not state any required credentials or how authentication should be provided. That omission is a mismatch between claimed minimal requirements and the realistic needs of a live-data CLI.
- Persistence & Privilege
- concernalways:false and normal autonomous invocation are expected. However the runbook explicitly suggests persisting an execution log by appending to '.flyai-execution-log.json' if filesystem writes are available. The manifest did not declare any config paths; persistent logging to the working directory is a form of persistence that should be disclosed.